github.com/piotrnar/gocoin@v0.0.0-20240512203912-faa0448c5e96/client/ssl_cert/README.md

github.com/piotrnar/gocoin@v0.0.0-20240512203912-faa0448c5e96/client/ssl_cert/README.md (about)

     1  # How to use SSL secured WebUI
     2  
     3  In order to have a SSL secured access to your node's WebUI, place here the following files:
     4  * ca.crt
     5  * server.key
     6  * server.crt
     7  
     8  If all the three files are in place, SSL server will be started at port 4433, in parallell to the regular HTTP server.
     9  
    10  The SSL server will accept connections from any IP address, regardless of the WebUI setting in `gocoin.conf` file.
    11  
    12  In order to access it you will need `client.p12` certificate imported into your browser's Personal certificates.
    13  
    14  Then use URL like **https://your.hostname.or.ip:4433/**
    15  
    16  To access WebUI at default SSL port, set up port redirect on your nat:
    17  
    18  	iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 4433
    19  
    20  
    21  # How to generate needed files
    22  
    23  Use `openssl` command to generate all the required files.
    24  
    25  ## Generate ca.key and ca.crt
    26  	openssl genrsa -out ca.key 4096
    27  	openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    28  
    29  Place `ca.crt` in the current folder.
    30  
    31  If you plan to use self-signed SSL certificate, additionally import `ca.crt` into your browser's Trusted Root CA list.
    32  
    33  ## Generate server.key and server.crt
    34  
    35  You can use one of the CA vendors to acquire SSL certificate for your WebUI hostname.
    36  Both the files are expected to be in the PEM format.
    37  Just rename the your private key file to `server.key` and the certificate (or the chain) to `server.crt`.
    38  
    39  Otherwise, the method below guides you through creating a self-signed SSL certificate.
    40  Using self-signed certificate, make sure to have `ca.crt` imported into your browser's Trusted Root CA list, to avoid security alerts.
    41  
    42  ### Create v3.ext file
    43  Create file named `v3.ext` with the following content:
    44  
    45  	authorityKeyIdentifier=keyid,issuer
    46  	basicConstraints=CA:FALSE
    47  	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    48  	subjectAltName = @alt_names
    49  
    50  	[alt_names]
    51  	DNS.1 = domain.com
    52  
    53  Replace **domain.com** with your node's hostname or IP.
    54  
    55  ### Generate server.key and server.crt
    56  	openssl genrsa -out server.key 2048
    57  	openssl req -new -key server.key -out server.csr
    58  
    59  When asked for **Common Name** give your node's hostname or IP (same value as **DNS.1** in `v3.ext` file)
    60  
    61  	openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -sha256 -extfile v3.ext
    62  
    63  ## Installing server.key and server.crt
    64  
    65  Place `server.key` and `server.crt` in the current folder.
    66  
    67  ## Generate client.p12
    68  	openssl genrsa -out client.key 2048
    69  	openssl req -new -key client.key -out client.csr
    70  	openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
    71  	openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
    72  
    73  Import `client.p12` into your browser's Personal certificates.
    74  
    75  
    76  # Security pracautions
    77  
    78  In order to assure the security of the WebUI, make sure to keep the `ca.key` and all the `client.*` files secret.
    79  Whoever gets access to any of these files, will be able to access your node's WebUI.