From 865bf1ba1913223a07fa73af6652783a6bdba583 Mon Sep 17 00:00:00 2001 From: "Patrick C. F. Ernzer" Date: Wed, 29 Nov 2023 23:21:38 +0100 Subject: [PATCH] copypasta SSL info from #125 to main readme (#1633) * put info from #215 into main readme * successfully tested on my Enigma2 box plus pointer to openssl-cooknook * fixup, textual clarification * doh! link name was incomplete --- README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/README.md b/README.md index 9fab863ba..7cef9a455 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,39 @@ init 3 --- +## Custom SSL Certificate + +If you want to use your own certificate, then replace both `/etc/enigma2/key.pem` and `/etc/enigma2/cert.pem` with your own key and cert, in PEM format. + +Restart Enigma2 after replacing those files. + +### Using your own CA + +You can also put the ca cert as `/etc/enigma2/ca.pem` and enable HTTPS Client Cert auth in settings you can even login using Client certs signed by the same CA auth. + +It doesn't bypass the password login yet and you should of course use your own CA, because else any client with a key signed by that CA auth can login, as there is no option to limit access to certain users (yet, and probably newer will be). + +See also #215 + +### Problems with a custom Certificate + +Creating key and cert is beyond the scope of this readme. +I found [Ivan Ristić's openssl cookbook](https://www.feistyduck.com/books/openssl-cookbook/) helpful. + +FWIW, an `ecparam` `secp384r1` key and a `ecdsa-with-SHA256` cert with 4 SAN worked just fine on the following; + +```bash +root@vuduo4kse:~# date ; cat /etc/os-release +Wed Nov 29 22:58:24 CET 2023 +ID=openbh +NAME="openbh" +VERSION="5.1" +VERSION_ID=5.1 +PRETTY_NAME="openbh 5.1" +``` + +--- + ## Development Information See what's been happening, check out the [OpenWebif changelog](CHANGES.md)