s-andrews
commented
7 months ago I generated this conf file (capstone.conf):
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = GB
ST = Babraham
L = Cambridge
O = The Babraham Institute
OU = Bioinformatics
CN = capstone.babraham.ac.uk
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = capstone.babraham.ac.ukI then processed it to a CSR with:
openssl req -new -out capstone.csr -newkey rsa:2048 -nodes -sha256 -keyout capstone.key -config capstone.conf
..and then verified it with:
openssl req -text -noout -verify -in capstone.csr
Which all looks OK:
Certificate request self-signature verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = GB, ST = Babraham, L = Cambridge, O = The Babraham Institute, OU = Bioinformatics, CN = capstone.babraham.ac.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[snipped]
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:capstone.babraham.ac.uk
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
[snipped]
We can't force https universally, but we can at least allow it for the front end (any maybe force it internally using flask).
We need an https certificate through and we can't generate one using letsencrypt so we need to do it ourselves.