diff --git a/pwa_readme.rst b/pwa_readme.rst index c4e9b5f9..f9701a15 100644 --- a/pwa_readme.rst +++ b/pwa_readme.rst @@ -130,21 +130,34 @@ downloading and deploying PWA's default configuration files from git repo. Host Certificates ~~~~~~~~~~~~~~~~~ -You will need SSL certificates for https access. If these don't already exist, they will be created when you start up the ``sca-auth`` docker container. +You will need SSL certificates for https access. -In ``/etc/pwa/auth``\ , you should see your host certificate with following file names, or place them there if not. If you want to replace the automatically-generated certs with your own, copy them over these files. +If you want to generate self-signed certs, you can do so like this, or use `this script `_\ : .. code-block:: bash - $ ls /etc/pwa/auth - cert.pem + CERT_PATH="/etc/pwa/nginx/certs" + mkdir -p "$CERT_PATH" + openssl req -x509 -nodes -days 10000 -newkey rsa:2048 -keyout "$CERT_PATH/key.pem" -out "$CERT_PATH/cert.pem" -batch + chmod 640 "$CERT_PATH/*.pem" + +If you want to provide your own certs, place them in ``/etc/pwa/nginx/certs`` with these names: + +.. code-block:: bash + + cert.pem key.pem -If you are enabling x509 authentication, then you will also need ``trusted.pem``. This file contains list of all CAs that you trust and grant access to PWA. +If you are enabling x509 authentication, then you will also need ``trusted.pem``\ ; This file contains list of all CAs that you trust and grant access to PWA. You will have to adapt the nginx config in ``/etc/pwa/nginx/conf.d/pwa.conf`` as follows: + +.. code-block:: bash + + ssl_client_certificate /etc/nginx/certs/trusted.pem + ssl_verify_client on .. - Unlike Apache, Nginx uses a single CA file for better performance.. so you have to join all .pem into a single .pem file. + Unlike Apache, Nginx uses a single CA file for better performance.. so you have to join all .pem into a single ``trusted.pem file`` Container Installation