From d11e647a1bc5ccee2cd75e5d9721313db6eee61b Mon Sep 17 00:00:00 2001
From: bax1489 <fabian.gallenkamp@uni-hamburg.de>
Date: Thu, 26 Sep 2019 12:54:35 +0200
Subject: [PATCH] guide for PKCS#10 method

---
 README.md | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 988522e..5be8589 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,17 @@
 
 ## preparation
 
+### request certificate (PKCS#10 method)
+1. Create empty folder ``mkdir /opt/otree/temp`` and switch into ``cd /opt/otree/temp``
+2. Adapt your config file ``request.conf``.
+3. Generate encrypted private key and certificate request file with ``openssl req -config request.conf -newkey rsa:2048 -sha256 -outform PEM -out certrequest.pem`` from config file.
+4. Verify your ``certrequest.pem`` with ``openssl req -in certrequest.pem -text``
+5. Make a request with the certificate request file at your responsible office.
+6. Unencrypt your private key with: ``openssl rsa -in domain.key.pem.enc -out domain.key.pem``.
+7. Move your unencrypted private key file with ``sudo mv /opt/otree/temp/private-key.pem /etc/ssh/private/domain.key.pem.enc``. (Note: Verify permissions! 0600)
+8. Upload the obtained certificate and the certificate chain onto your server into ``/opt/otree/temp`` and append the chain (PA-Cert) to the certificate with ``cat pa-chain.pem >> cert-myserver.pem``.
+9. Lastly move the certificate to the correct location: ``sudo mv /opt/tree/temp/cert-myserver.pem /etc/ssh/certs/domain.crt.pem`` (Note: Verify permissions! 0644)
+
 ### place ssl/tls certificate and key-file (unfortunately not scriptable due to security best-practices)
 1. Use ``scp mycert.crt user@host:/home/user/`` and ``scp mycert.key user@host:/home/user/`` or use [WinSCP](https://de.wikipedia.org/wiki/WinSCP) to copy over the certificate files.
 2. Establish a ssh connection onto your server.
@@ -82,14 +93,10 @@ otree_users:
 And now run the playbook.
 
 ## change the configuration
-1. Adapt your inventory-config again with ``nano ~/otree-ansible/group_vars/otree_servers.yml`` and run the playbook.
-
-## setup ssh keys
-1. Generate a public-private key pair in the ansible project ``keys/<otree_instance_name>/`` with ``ssh-keygen -f id -t ed25519 -N '' -a 100``
-2. Upload public key in your git provider (GitLab: User Settings->SSH Keys) and make sure you have access to the specified project in ``app_repo``
+1. Adapt your inventory-config again with ``nano /opt/otree/otree-ansible/group_vars/otree_servers.yml`` and run the playbook.
 
 ## run the playbook
-1. Change directory: ``cd ~/otree-ansible/``
+1. Change directory: ``cd /opt/otree/otree-ansible/``
 2. Run: ``ansible-playbook site.yml``
 
 ## FAQ
-- 
GitLab