modify cert request config, more ssl docs

author Christian Weiske <cweiske@cweiske.de>

Fri, 13 Sep 2013 04:42:42 +0000 (06:42 +0200)

committer Christian Weiske <cweiske@cweiske.de>

Fri, 13 Sep 2013 04:42:42 +0000 (06:42 +0200)
author Christian Weiske <cweiske@cweiske.de>
Fri, 13 Sep 2013 04:42:42 +0000 (06:42 +0200)
committer Christian Weiske <cweiske@cweiske.de>
Fri, 13 Sep 2013 04:42:42 +0000 (06:42 +0200)
diff --git a/doc/README.rst b/doc/README.rst

index 951b7c25afb710f8cc3c377975461fa0ae6b6587..8e51fcab08800e7582c84159d5149eb3d245a724 100644 (file)
--- a/doc/README.rst
+++ b/doc/README.rst
@@ -4,9 +4,9 @@ Generate web server SSL certificate
  
    $ openssl req -new -x509 -nodes -config ouya.tv-cert-req.cnf -out selfcert-ouya.tv.pem -keyout selfcert-ouya.tv.key -days 730
  
-  $ openssl genrsa -out selfcert-ouya.tv.key 2048
+  $ openssl genrsa -out selfcert-ouya.tv.key 1024
    $ openssl req -new -config ouya.tv-cert-req.cnf -key selfcert-ouya.tv.key -out selfcert-ouya.tv.csr
-  $ openssl x509 -req -in selfcert-ouya.tv.csr -CA ~/.mitmproxy/mitmproxy-ca.pem -CAkey ~/.mitmproxy/mitmproxy-ca.pem -CAcreateserial -out selfcert-ouya.tv.crt -days 730
+  $ openssl x509 -req -in selfcert-ouya.tv.csr -CA ~/.mitmproxy/mitmproxy-ca.pem -CAkey ~/.mitmproxy/mitmproxy-ca.pem -CAcreateserial -out selfcert-ouya.tv.crt -days 730 -extfile ouya.tv-cert-req.cnf
  
  Verify CSR::
  
@@ -17,3 +17,8 @@ Verify certificate::
    $ openssl x509 -in selfcert-ouya.tv.crt -text -noout
  
  Then install the certificate in your web server.
+
+Note that the OUYA store application does not use SNI (Server Name Indication).
+This means that your server's *.ouya.tv must be delivered first when no
+host name is indicated by the client, thus the vhost has to be the first
+of all in the configuration.
diff --git a/doc/ouya.tv-cert-req.cnf b/doc/ouya.tv-cert-req.cnf

index 1890971dfc1669b432f9ba2187325404542a81ab..5dd85c82601a70d74e86740626ded1a4a4a1f995 100644 (file)
--- a/doc/ouya.tv-cert-req.cnf
+++ b/doc/ouya.tv-cert-req.cnf
@@ -2,28 +2,29 @@
  extensions = v3_req
  
  [req]
-default_bits = 2048
+default_bits = 1024
  encrypt_key = yes
  distinguished_name = req_dn
  req_extensions = v3_req
  prompt = no
  
  [req_dn]
-C=US
-ST=Massachusetts
-L=Anytown
-O=OUYA
-OU=custom OUYA store
+#C=US
+#ST=Massachusetts
+#L=Anytown
+#O=OUYA
+#OU=custom OUYA store
  CN=*.ouya.tv
-emailAddress=ouya+dummy@example.org
+#emailAddress=ouya+dummy@example.org
  
  [v3_req]
-nsCertType = server
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = @alt_names
+#nsCertType = server
+#basicConstraints = CA:FALSE
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+#keyUsage = critical
+subjectAltName = critical,@alt_names
  
  [alt_names]
-DNS.1 = ouya.tv
-DNS.2 = *.ouya.tv
+DNS.1 = *.ouya.tv
+DNS.2 = ouya.tv
  DNS.3 = *.ouya.tv.bogo
author	Christian Weiske <cweiske@cweiske.de>
	Fri, 13 Sep 2013 04:42:42 +0000 (06:42 +0200)
committer	Christian Weiske <cweiske@cweiske.de>
	Fri, 13 Sep 2013 04:42:42 +0000 (06:42 +0200)
doc/README.rst		patch \| blob \| history
doc/ouya.tv-cert-req.cnf		patch \| blob \| history