mehalter
/
ansible-postgresql9-stig
mirror of https://github.com/mehalter/ansible-postgresql9-stig.git
1
0
Fork 0
Code Issues Releases 0 Activity
Browse Source

Formatting and made pdf

master
Micah Halter 9 months ago
parent
80e1dd1ae3
commit
015f426fa5
2 changed files with 27 additions and 11 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +27
    -11
      PROCESS.md
  2. BIN
      PROCESS.pdf

+ 27
- 11
PROCESS.md View File

@ -126,27 +126,42 @@ $~ psql -c "CREATE EXTENSION pgcrypto"
```
# Create Self-Signed certificate
$~ openssl genrsa -aes256 -out ca.key 4096
$~ openssl req -new -x509 -sha256 -days 1825 -key ca.key -out ca.crt -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=root-ca"
$~ openssl req -new -x509 -sha256 -days 1825 -key ca.key -out ca.crt \
-subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=root-ca"
# Create Server Intermediate Certificate
$~ openssl genrsa -aes256 -out server-intermediate.key 4096
$~ openssl req -new -sha256 -days 1825 -key server-intermediate.key -out server-intermediate.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=server-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial -in server-intermediate.csr -out server-intermediate.crt
$~ openssl req -new -sha256 -days 1825 -key server-intermediate.key \
-out server-intermediate.csr \
-subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=server-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca \
-req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial \
-in server-intermediate.csr -out server-intermediate.crt
# Create Client Intermediate Certificate
$~ openssl genrsa -aes256 -out client-intermediate.key 4096
$~ openssl req -new -sha256 -days 1825 -key client-intermediate.key -out client-intermediate.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=client-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial -in client-intermediate.csr -out client-intermediate.crt
$~ openssl req -new -sha256 -days 1825 -key client-intermediate.key \
-out client-intermediate.csr \
-subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=client-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca \
-req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial \
-in client-intermediate.csr -out client-intermediate.crt
# Create Server Certificate
# replace dbase01 with hostname:
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout server.key -out server.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=dbase01"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert -req -days 1825 -CA server-intermediate.crt -CAkey server-intermediate.key -CAcreateserial -in server.csr -out server.crt
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout server.key \
-out server.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=dbase01"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert \
-req -days 1825 -CA server-intermediate.crt -CAkey server-intermediate.key \
-CAcreateserial -in server.csr -out server.crt
# Create Client Certificate
# client cert must be mapped to a postgres role either username or adding an ident_map
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout client.key -out client.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=ident_map"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert -req -days 1825 -CA client-intermediate.crt -CAkey client-intermediate.key -CAcreateserial -in client.csr -out client.crt
# client cert must be mapped to a postgres role
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout client.key \
-out client.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=ident_map"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert \
-req -days 1825 -CA client-intermediate.crt -CAkey client-intermediate.key \
-CAcreateserial -in client.csr -out client.crt
$~ cat server.crt server-intermediate.crt ca.crt > ./server-full.crt
# place ca.crt, server.key, server-full.crt in the $PGDATA directory
@ -191,7 +206,8 @@ Copy the certificates on the client (update paths as needed)
$~ mkdir $CLIENT_HOME/.postgresql
$~ cp ca.crt $CLIENT_HOME/.postgresql/root.crt
$~ cp client.key $CLIENT_HOME/.postgresql/postgresql.key
$~ cat client.crt client-intermediate.crt ca.crt > $CLIENT_HOME/.postgresql/postgresql.crt
$~ cat client.crt client-intermediate.crt ca.crt \
> $CLIENT_HOME/.postgresql/postgresql.crt
$~ chmod 600 $CLIENT_HOME/.postgresql/*
```


BIN
PROCESS.pdf View File


Write Preview
Loading…
Cancel
Save