Certificate Management¶
nethserver-base provides a set of templates that output PEM-formatted certificate parts:
- certificate/key RSA private key
- certificate/crt public certificate
- certificate/pem both key+crt parts
Configuration is inside the configuration
database. Example:
pki=configuration
KeyFile=
CrtFile=
ChainFile=
CertificateDuration=365
CommonName=
A certificate consumer daemon should expand those templates to its own
certificate paths, by installing the proper configuration under
/etc/e-smith/templates.metadata
.
For instance nethserver-httpd adds the following template configuration:
/etc/e-smith/templates.metadata/etc/pki/tls/private/localhost.key
TEMPLATE_PATH="certificate/key"
OUTPUT_FILENAME="/etc/pki/tls/private/localhost.key"
PERMS=0600
UID="root"
GID="root"
/etc/e-smith/templates.metadata/etc/pki/tls/certs/localhost.crt
TEMPLATE_PATH="certificate/crt"
OUTPUT_FILENAME="/etc/pki/tls/certs/localhost.crt"
PERMS=0600
UID="root"
GID="root"
Set OUTPUT_FILENAME
, PERMS
, UID
and GID
values according
to daemon configuration.
Default behavior¶
By default, CrtFile
and KeyFile
properties have empty values. In
this case, nethserver-base
generates a self-signed certificate
during nethserver-base-update
event.
Default SELinux-aware certificate locations are:
/etc/pki/tls/private/NSRV.key
: private key/etc/pki/tls/certs/NSRV.crt
: CA certificate
A daily cron job checks certificate validity. If expired, the
self-signed certificate is re-generated and certificate-update
event
is signaled.
Default certificate duration is set to 365 days. To change it:
db configuration setprop pki CertificateDuration 3650
The certificate Common Name is set to system FQDN. To override this value type:
db configuration setprop pki CommonName custom.cn