29be6d2479f8481b7bf2bb305dc7d8618255cc4c
services/Automatic-CA.md
| ... | ... | @@ -188,6 +188,32 @@ Enter Export Password: **** |
| 188 | 188 | Verifying - Enter Export Password: **** |
| 189 | 189 | ``` |
| 190 | 190 | |
| 191 | +The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron or with a systemd timer: |
|
| 192 | + |
|
| 193 | +``` |
|
| 194 | +0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT |
|
| 195 | +``` |
|
| 196 | + |
|
| 197 | +``` |
|
| 198 | +# update-dn42-ca.timer |
|
| 199 | +[Timer] |
|
| 200 | +OnBootSec=1h |
|
| 201 | +OnUnitActiveSec=1w |
|
| 202 | +Persistent=yes |
|
| 203 | + |
|
| 204 | +[Install] |
|
| 205 | +WantedBy=timers.target |
|
| 206 | +``` |
|
| 207 | + |
|
| 208 | +``` |
|
| 209 | +[Service] |
|
| 210 | +Type=oneshot |
|
| 211 | +WorkingDirectory=/etc/ssl/dn42 |
|
| 212 | +ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT |
|
| 213 | +# accept multiple ExecStart lines for other certificates |
|
| 214 | +#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT |
|
| 215 | +ExecStart=/usr/bin/nginx -s reload |
|
| 216 | +``` |
|
| 191 | 217 | |
| 192 | 218 | ## Revoke a certificate. |
| 193 | 219 |