ca

ca.git
git clone git://git.lenczewski.org/ca.git
Log | Files | Refs | README
commit 47cca299a50148371ef71f99f85ee50f134a1fca
parent c10815f7f0f0e0be97606fef49ac55883ae6416d
Author: MikoĊ‚aj Lenczewski <mikolaj@lenczewski.org>
Date:   Tue,  5 May 2026 02:30:17 +0100

Improve README

Diffstat:

MREADME | 71+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


1 file changed, 71 insertions(+), 0 deletions(-)

diff --git a/README b/README
@@ -5,3 +5,74 @@ and generating signed certificates for use with email and other services.
 
 Taken from the excellent website:
  https://jamielinux.com/docs/openssl-certificate-authority/index.html
+
+ca: Usage
+------------------------------------------------------------------------------
+First, fill out the relevant `*.txt` configuration files. Note the that CRL and
+OCSP URIs are expected to be sans `http://` prefix.
+
+Then, initialise the root CA:
+
+```
+$ ./init-ca.sh
+```
+
+Then, create one or more intermediate CAs:
+
+```
+$ ./make-intermediate-ca.sh
+```
+
+If desired, the individual certificates (rsa, ecc, or both) for any given
+intermediate CA can be revoked:
+
+```
+$ ./revoke-intermediate-ca.sh ca/intermediate/current/cert/intermediate.ecc.crt.pem
+```
+
+To create a client or server certificate, use the `make-cert.sh` script:
+
+```
+$ ./make-cert.sh server www.example.com
+```
+
+To add additional x509 fields, simply append `key=val` pairs to the arguments:
+
+```
+$ ./make-cert.sh client Alice 'emailAddress=alice@example.com' x500UniqueIdentifier=alice
+```
+
+To change the default PCKS#12 password (from 'password'), set the following
+environment variable:
+
+```
+$ PCKSPASS="mypass" ./make-cert.sh ...
+```
+
+To create an RSA key and certificate, as opposed to an ECC one, set the following
+environment variable:
+
+```
+$ ECC=0 ./make-cert.sh ...
+```
+
+To change the number of days the certificate is valid for, set the following
+environment variable:
+
+```
+$ DAYS=365 ./make-cert.sh ...
+```
+
+To revoke a previously generated client or server certificate, simply
+provide the type of certificate, and the FQDN (i.e. common name), to the
+`revoke-cert.sh` script:
+
+```
+$ ./revoke-cert.sh client Alice
+```
+
+To regenerate the entire CA chain, and all certificates, simply remove the
+`ca/` and `certs/` directories.
+
+By default, the intermediate CA is configured for OCSP, and the root CA is
+configured for CRLs.