Set up certificate authority in herdbook server#37

[jhagberg]

• The CA should be only readable by the process of the webserver
• Create the root certificate will belong to Gotlandskaninen or NBIS?
• It should be a RSA key, no matter size

How to handle CA renewals?

[jhagberg]

E.g. (from another repo):

!/bin/bash

mkdir -p config && \ openssl req -x509 -nodes -days 365 \ -newkey rsa:2048 -sha256 \ -subj '/O=root' \ -keyout config/cakey \ -out config/cacert

openssl req -nodes -new -days 365 -newkey rsa:2048 \ -sha256 -subj '/CN=localhost' \ -keyout config/key \ -out config/cert.csr

openssl x509 -req -CAcreateserial -sha256 \ -CA config/cacert \ -CAkey config/cakey \ -in config/cert.csr \ -out config/cert

openssl req -nodes -new -days 365 -newkey rsa:2048 \ -sha256 -subj '/CN=database' \ -keyout config/key2 \ -out config/cert2.csr

openssl x509 -req -CAcreateserial -sha256 \ -CA config/cacert \ -CAkey config/cakey \ -in config/cert2.csr \ -out config/cert2

cat config/key config/cert > config/combined cat config/key2 config/cert2 > config/combined2