Verified Commit 8f4abda9 authored by Tim Schubert's avatar Tim Schubert
Browse files

add documentation for TLS cert renewal

parent 691ed24b
......@@ -57,3 +57,29 @@ Generate an SSH key in `/var/lib/borgbackup/bs/id_ed25519` that should be used t
Give the *public* key to @y0067212.
Write a secret passphrase to `/var/lib/borgbackup/bs/passphrase`.
This passphrase is needed for restoring the backup.
## Generating TLS keys
## Setting up and updating the TLS trust chain
Run
```
openssl s_client -showcerts -connect tu-bs.de:443
```
and save the certs all in one file.
The file is needed alongside the TLS private key and the valid certificate.
## Updating certs
TU Braunschweig does not support getting certs with ACME, so certs have to be applied for at GITZ.
Once a year the certs will have to be renewed.
For this, a new CSR is needed.
The configuration files for openssl with required settings are in `nixos/<hostname>/openssl.cfg`.
Generate a new CSR using
```
# umask 77
# openssl req -config openssl.cfg -utf8 -new -key key.pem -out csr.pem
```
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment