-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: Import cdn-cert.md documentation
Imported with minor changes, from private infra repo at <https://github.com/jquery/infrastructure/blob/1f8c332e728b9d150b42cf27de84c122c2631142/modules/jquery/files/cert/README.md>
- Loading branch information
Showing
2 changed files
with
97 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| #!/bin/bash | ||
|
|
||
| # SPDX-License-Identifier: MIT | ||
| # Copyright 2021 Brian Warner | ||
| # Copyright 2023 Timo Tijhof | ||
| # | ||
| # Very basic utility to run checks on SSL certs prior to deployment. | ||
| # | ||
| # Usage: ./verify_certs.sh <path to star.jquery.com.pem> | ||
| # | ||
| # certname.pem: This is the PEM file created from concatenating the .crt with the .ca-bundle | ||
| # certname.key: This is the private key provided by the issuer | ||
| # certname.ca-bundle: These are the intermediate certs provided by the issuer | ||
| # | ||
|
|
||
| if [ "$#" -ne 1 ]; then | ||
| echo "Usage: ./verify_certs.sh <path to star.jquery.com.pem>" | ||
| exit | ||
| fi | ||
|
|
||
| pemfilename="$1" | ||
| keyfilename="${1%.pem}.key" | ||
| cabundlefilename="${1%.pem}.ca-bundle" | ||
| if [ ! -f "$pemfilename" ]; then | ||
| echo -e "Error: Could not find $pemfilename" | ||
| exit 1 | ||
| fi | ||
| if [ ! -f "$keyfilename" ]; then | ||
| echo -e "Error: Could not find $keyfilename" | ||
| exit 1 | ||
| fi | ||
| if [ ! -f "$cabundlefilename" ]; then | ||
| echo -e "Error: Could not find $cabundlefilename" | ||
| exit 1 | ||
| fi | ||
|
|
||
| bold=$(tput bold) | ||
| normal=$(tput sgr0) | ||
|
|
||
| echo -e "\n${bold}Dates the cert is valid (expect today to be within this range):${normal}" | ||
| openssl x509 -noout -dates -in "$pemfilename" | ||
|
|
||
| echo -e "\n${bold}Verifying validity of the certificate chain (expect \"OK\"):${normal}" | ||
| openssl verify -CAfile "$cabundlefilename" "$pemfilename" | ||
|
|
||
| echo -e "\n${bold}Verify the public keys match (expect \"Keys match\"):${normal}" | ||
| pemkey=`openssl x509 -noout -pubkey -in "$pemfilename"` | ||
| pubkey=`openssl rsa -pubout -in "$keyfilename" 2>/dev/null` | ||
| keydiff=`diff <(echo $pemkey) <(echo $pubkey)` | ||
|
|
||
| if [ ${#keydiff} -eq 0 ]; then | ||
| echo -e "Keys match" | ||
| else | ||
| echo -e "\033[0;31mKeys do not match, check you have the correct .key and .pem files.\033[0;37m" | ||
| fi | ||
|
|
||
| echo -e "\n${bold}Verify the PEM file is in the right order (expect issuer to match next subject)${normal}" | ||
| openssl crl2pkcs7 -nocrl -certfile "$pemfilename" | openssl pkcs7 -print_certs -noout | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # jQuery CDN: TLS Certificate | ||
|
|
||
| Every year we need to renew the TLS certificate used by the jQuery CDN. Linux Foundation IT provisions these as needed. | ||
|
|
||
| ## Process | ||
|
|
||
| * Create a ticket with LF IT under "Project Support Services" <https://support.linuxfoundation.org>. | ||
| * LF IT purchases a 3-year certificate and mints a 1-year certificate for us to use. The share the `.crt` and `.ca-bundle` files via email, and share the private key via 1Password. | ||
| * The `.crt` and `.ca-bundle` file for each domain needs to be converted to `.pem` format by concatenating them with the `.crt` file first. | ||
| * `cat __jquery_com.crt __jquery_com.ca-bundle > star.jquery.com.pem` | ||
| * The `.crt` file may not have an EOL character, so open `star.jquery.com.pem` and make sure that all block terminators look like this (i.e., not on one line, and no blank lines between): | ||
|
|
||
| ``` | ||
| -----END CERTIFICATE----- | ||
| -----BEGIN CERTIFICATE----- | ||
| ``` | ||
|
|
||
| * Copy the contents of the private key (shared via 1Password) into a file called `star.jquery.com.key` | ||
| * **Test it!** by running `bin/verify_cert.sh path/to/your/star.jquery.com.pem` | ||
|
|
||
| Note that if the `.key` file contains `ENCRYPTED` (that is, `verify_cert.sh` will have had openssl prompt for a password), then convert this to plaintext first so that the file can be used by a webserver. | ||
|
|
||
| ## Example ticket | ||
|
|
||
| > Project: Open JS Foundation | ||
| > Services: DNS management, Domain ownership | ||
| > | ||
| > The wildcart cert for jquery.com, as used for the jQuery CDN at code.jquery.com is expiring soon on …. | ||
| > | ||
| > We ideally take a few days to test it first, and after that I can upload it to Fastly (at least 48 hours after issuing, which ensures the vast majority of browser clients that suffer clockskew, will accept the new certificate, learn more at htps://phabricator.wikimedia.org/T196248). | ||
| > | ||
| > Our current one was issued in … by …. | ||
| > | ||
| > Thanks! | ||
| ## Fastly docs | ||
|
|
||
| https://docs.fastly.com/en/guides/setting-up-tls-with-your-own-certificates |