Skip to content

Commit

Permalink
Update PWA ssl cert instructions perfsonar/psconfig-web#79
Browse files Browse the repository at this point in the history
  • Loading branch information
apertome committed Jan 25, 2019
1 parent 06adfc6 commit 41b7a7c
Showing 1 changed file with 19 additions and 6 deletions.
25 changes: 19 additions & 6 deletions pwa_readme.rst
Original file line number Diff line number Diff line change
Expand Up @@ -130,21 +130,34 @@ downloading and deploying PWA's default configuration files from git repo.
Host Certificates
~~~~~~~~~~~~~~~~~

You will need SSL certificates for https access. If these don't already exist, they will be created when you start up the ``sca-auth`` docker container.
You will need SSL certificates for https access.

In ``/etc/pwa/auth``\ , you should see your host certificate with following file names, or place them there if not. If you want to replace the automatically-generated certs with your own, copy them over these files.
If you want to generate self-signed certs, you can do so like this, or use `this script <https://raw.githubusercontent.com/perfsonar/psconfig-web/master/deploy/generate_nginx_cert.sh>`_\ :

.. code-block:: bash
$ ls /etc/pwa/auth
cert.pem
CERT_PATH="/etc/pwa/nginx/certs"
mkdir -p "$CERT_PATH"
openssl req -x509 -nodes -days 10000 -newkey rsa:2048 -keyout "$CERT_PATH/key.pem" -out "$CERT_PATH/cert.pem" -batch
chmod 640 "$CERT_PATH/*.pem"
If you want to provide your own certs, place them in ``/etc/pwa/nginx/certs`` with these names:

.. code-block:: bash
cert.pem
key.pem
If you are enabling x509 authentication, then you will also need ``trusted.pem``. This file contains list of all CAs that you trust and grant access to PWA.
If you are enabling x509 authentication, then you will also need ``trusted.pem``\ ; This file contains list of all CAs that you trust and grant access to PWA. You will have to adapt the nginx config in ``/etc/pwa/nginx/conf.d/pwa.conf`` as follows:

.. code-block:: bash
ssl_client_certificate /etc/nginx/certs/trusted.pem
ssl_verify_client on
..
Unlike Apache, Nginx uses a single CA file for better performance.. so you have to join all .pem into a single .pem file.
Unlike Apache, Nginx uses a single CA file for better performance.. so you have to join all .pem into a single ``trusted.pem file``


Container Installation
Expand Down

0 comments on commit 41b7a7c

Please sign in to comment.