=======================
TLS/SSL Certificates CA Certificates
=======================

Need to refresh these every year.
For tests change this to every 25 years or 10000 days


to determine current version of python SSL library

import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2l  25 May 2017'


http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x

https://msol.io/blog/tech/2014/09/30/create-a-self-signed-ssl-certificate-with-openssl/


Using OpenSSL

The certs are put in two places
One for the system in:

/etc/pki/tls/certs/

The other for unittests in:

ioflo/aio/test/tls/certs

Do not use the same certs for the system and unittests since the unittest certs
are public

For the system:


$ sudo -s
# mkdir -p /etc/pki/tls/certs
# cd /etc/pki/tls/certs/



For the unittests

$ cd ioflo/ioflo/aio/test/tls/certs
$ cd /Data/Code/public/ioflo/ioflo/aio/test/tls/certs/
-------
client
--------

$ openssl genrsa -out client_key.pem 2048
$ openssl req -new -key client_key.pem -out client_csr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UTAH
Locality Name (eg, city) []:Lindon
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Ioflo
Organizational Unit Name (eg, section) []: HQ
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []: sam@ioflo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ openssl req -x509 -days 365 -key client_key.pem -in client_csr.pem -out client_cert.pem
$ openssl req -x509 -days 10000 -key client_key.pem -in client_csr.pem -out client_cert.pem
$ cat  client_key.pem  client_cert.pem > client.pem

------
server
-------

$ openssl genrsa -out server_key.pem 2048
$ openssl req -new -key server_key.pem -out server_csr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Lindon
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Ioflo
Organizational Unit Name (eg, section) []: HQ
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []: sam@ioflo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ openssl req -x509 -days 365 -key server_key.pem -in server_csr.pem -out server_cert.pem
$ openssl req -x509 -days 10000 -key server_key.pem -in server_csr.pem -out server_cert.pem
$ cat server_key.pem  server_cert.pem > server.pem


$ cp server_key.pem localhost.key
$ cp server_cert.pem localhost.crt
$ cp server.pem localhost.pem


The first time try to access bottle server with this certificate Safari
will complain about the certificate. Check the box to trust and Safari
will add it to the keychain.

https://localhost:8080/echo

Google chrome will then accept it as valid.

After 1 year the certificates will be bad.

On systems need to remove write permissions

$ sudo -s
# chmod 444 client_key.pem client_cert.pem client.pem client_csr.pem
# chmod 444 server_key.pem server_cert.pem server.pem server_csr.pem
# chmod 444 localhost.crt localhost.key localhost.pem

chmod 444 is r only no write or execute
chmod ugo-w
