From 99bf86b33c82b5a6fe158493db17c15d6b18387b Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 17 Nov 2018 10:28:49 +0100 Subject: [PATCH 1/2] Add screenshots on more details to README --- README.md | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 61 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8217ac5..80d4e6d 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,24 @@ A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm). -## About +![08-dashboard](https://user-images.githubusercontent.com/44847421/48658726-ebd4c400-ea46-11e8-8cb1-43584dbc3719.jpg) + +## Table of Contents + +- [Background](#background) +- [Install](#install) +- [Usage](#usage) +- [Contributing](#contributing) +- [License](#license) + +## Background More and more websites and applications are served over HTTPS, where all traffic between your browser and the web server is encrypted. With standard HTTP the (form) data is unencrypted and open to eavesdroppers and hackers listening to communications between the user and the website. Therefore the Chrome browser now even warns about unsafe plain HTTP sites to nudge users towards HTTPS. To a lesser extent this also applies to internal applications and sites that are not exposed publicly. Just because the users may have a higher level of trust versus users of a public facing website doesn't mean sensitive content shouldn't be protected as much as possible. Lots of hacking and theft occur from within a company's own walls, virtual or real. Also, no user should get used to ignoring any browser warnings (e.g. about self-signed certificates), even for internal sites. +> no user should get used to ignoring any browser warnings + For the public internet, [Let's Encrypt™](https://letsencrypt.org/) has made a big impact by providing free HTTPS certificates in an easy and automated way. There are many clients available to interact with their so called ACME (Automated Certificate Management Environment). They also have a staging environment that allows you to get things right before issuing trusted certificates and reduce the chance of your running up against rate limits. One technical requirement however is to have a publicly reachable location where your client application and their server can exchange information. For intranet / company internal applications or for testing clients within your organization this may not always be feasible. @@ -18,7 +30,7 @@ Also if you are developing your own client application or integrating one into y Getting Boulder up and running has quite a learning curve though and that is where **LabCA** comes in. It is a self-contained installation with a nice web GUI built on top of Boulder so you can quickly start using it. All regular management tasks can be done from the web interface. It is best installed in a Virtual Machine and uses Debian Linux as a base. -## Installation +## Install LabCA is best run on its own server / virtual machine to prevent any issues caused by conflicting applications. On a freshly installed Linux machine (currently only tested with Debian 9) run this command as root user: @@ -26,19 +38,62 @@ LabCA is best run on its own server / virtual machine to prevent any issues caus curl -sSL https://raw.githubusercontent.com/hakwerk/labca/master/install | bash ``` -## Updating +It will install the latest versions of some packages, download the relevant programs and configure everything. If all goes well it should look like this: -On the Linux machine run this command as root user to update the installation: + + +### Setup + +After the base install you must go through the setup in your browser. To give an idea of the setup process, see these screenshots: + + + +### Update + +Until issue #1 is implemented, updates can only be done from the Linux shell. On the server run this command as root to update the installation: ```sh ~labca/labca/install ``` -## NOTE +## Usage + +Once LabCA has been setup you should go through the admin pages and e.g. configure the email details for outgoing notifications. Now your instance is ready to provide HTTPS certificates for your internal applications. + +### Admin + +The admin section is only accessible to the user account created at the start of the setup. The [dashboard](https://user-images.githubusercontent.com/44847421/48658726-ebd4c400-ea46-11e8-8cb1-43584dbc3719.jpg) gives an overview of the current status of your LabCA instance. Via the menu you can navigate to the details of your ACME objects such as the certificates, to several system logfiles and to the various management tasks such as backup/restore, email settings and changing your password. + +These screenshots give a preview of the admin section: + + + +### ACME Client + +To request and automatically renew certificates for your applications, you need one of the many standard ACME clients that are out there. Just make sure to configure the server hostname to be your LabCA instance. + +Some of the commonly used clients are: + +* [certbot](https://github.com/certbot/certbot) +* [acme-tiny](https://github.com/diafygi/acme-tiny) +* [dehydrated](https://github.com/lukas2511/dehydrated) +* ... + +### Public Pages + +The end users in your organization / lab can visit the public pages of you LabCA instance to get some basic information, and to download the root certificate that needs to be installed on each device that should trust the certificates generated by the LabCA instance. To give you and idea of what that looks like: + + + +### NOTE Although LabCA tries to be as robust as possible, use it at your own risk. If you depend on it, make sure that you know what you are doing! -# License +## Contributing + +Feel free to dive in! [Open an issue](https://github.com/hakwerk/labca/issues/new) or submit PRs. + +## License "Commons Clause" License Condition v1.0 From 58e0aa6f37c70bb1f3b77723b9e3a2d26d29fe98 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 17 Nov 2018 10:48:26 +0100 Subject: [PATCH 2/2] Improve README --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 80d4e6d..3aef0b3 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ LabCA is best run on its own server / virtual machine to prevent any issues caus curl -sSL https://raw.githubusercontent.com/hakwerk/labca/master/install | bash ``` -It will install the latest versions of some packages, download the relevant programs and configure everything. If all goes well it should look like this: +The first-time install will take a while, depending on the power of your server and your internet speed. On my machine it takes about 12 minutes. It will install the latest versions of some packages, download the relevant programs and configure everything. If all goes well it should look like this: @@ -48,6 +48,8 @@ After the base install you must go through the setup in your browser. To give an +Once the setup is completed, please make a backup of your Root and Issuer certificates! They can be exported from the "Certificates" tab of the Manage page. On the "Backup" tab you can also create a backup of the relevant data on the server. The backup files should be synchronized to an external location, but that is out of scope of this document. + ### Update Until issue #1 is implemented, updates can only be done from the Linux shell. On the server run this command as root to update the installation: