Services List

• Graphs

Getting your Admin Certificate

Do you think you're a wobscale admin? Do you think you need a client-certificate to authenticate to any of our services?

All you need to do is send a properly formed CSR. I recommend using cfssl and cfssljson to do it.

The certificate should be stored securely. Encrypt your hdd, store it gpg encrypted and only decrypt it to a ramdisk (systemd can help!), whatever you feel is appropriate. This is left as an exercise for you.

So, how do you actually create the certificate and CSR? Do the following:

1. Create a file client_auth.json with the following contents, taking care to replace $username with your correct username:
   

   {
     "CN": "$username",
     "key": {
       "algo": "ecdsa",
       "size": 256
     },
     "names": [
       {
         "C": "US",
         "L": "SF",
         "O": "Wobscale",
         "OU": "Wobscale Admins"
       }
     ]
   }
       

2. Run cfssl genkey client_auth.json | cfssljson -bare client_cert. Note, the files this outputs *are* sensitive (notably client_cert-key.pem).
3. Sign the resulting csr client_cert.csr with your GPG key. Email the signed csr to your neighborhood wobscale admin (admin ATSIGN wobscale DOT website).
4. You will get back a cert.pem file.
5. To use this client certificate in your browser, you might need a .pfx file. You can convert to it via: openssl pkcs12 -export -out cert.pfx -inkey client_cert-key.pem -in cert.pem.