mehalter
/
ansible-postgresql9-stig
mirror of https://github.com/mehalter/ansible-postgresql9-stig.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Formatting and made pdf

master
Micah Halter 1 year ago
parent
80e1dd1ae3
commit
015f426fa5
2 changed files with 27 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 38
      PROCESS.md
  2. BIN
      PROCESS.pdf

38
PROCESS.md
View File

@ -126,27 +126,42 @@ $~ psql -c "CREATE EXTENSION pgcrypto"
```
# Create Self-Signed certificate
$~ openssl genrsa -aes256 -out ca.key 4096
$~ openssl req -new -x509 -sha256 -days 1825 -key ca.key -out ca.crt -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=root-ca"
$~ openssl req -new -x509 -sha256 -days 1825 -key ca.key -out ca.crt \
-subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=root-ca"
# Create Server Intermediate Certificate
$~ openssl genrsa -aes256 -out server-intermediate.key 4096
$~ openssl req -new -sha256 -days 1825 -key server-intermediate.key -out server-intermediate.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=server-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial -in server-intermediate.csr -out server-intermediate.crt
$~ openssl req -new -sha256 -days 1825 -key server-intermediate.key \
-out server-intermediate.csr \
-subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=server-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca \
-req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial \
-in server-intermediate.csr -out server-intermediate.crt
# Create Client Intermediate Certificate
$~ openssl genrsa -aes256 -out client-intermediate.key 4096
$~ openssl req -new -sha256 -days 1825 -key client-intermediate.key -out client-intermediate.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=client-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial -in client-intermediate.csr -out client-intermediate.crt
$~ openssl req -new -sha256 -days 1825 -key client-intermediate.key \
-out client-intermediate.csr \
-subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=client-im-ca"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca \
-req -days 1825 -CA ca.crt -CAkey ca.key -CAcreateserial \
-in client-intermediate.csr -out client-intermediate.crt
# Create Server Certificate
# replace dbase01 with hostname:
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout server.key -out server.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=dbase01"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert -req -days 1825 -CA server-intermediate.crt -CAkey server-intermediate.key -CAcreateserial -in server.csr -out server.crt
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout server.key \
-out server.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=dbase01"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert \
-req -days 1825 -CA server-intermediate.crt -CAkey server-intermediate.key \
-CAcreateserial -in server.csr -out server.crt
# Create Client Certificate
# client cert must be mapped to a postgres role either username or adding an ident_map
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout client.key -out client.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=ident_map"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert -req -days 1825 -CA client-intermediate.crt -CAkey client-intermediate.key -CAcreateserial -in client.csr -out client.crt
# client cert must be mapped to a postgres role
$~ openssl req -nodes -new -newkey rsa:4096 -sha256 -keyout client.key \
-out client.csr -subj "/C=US/ST=GA/L=Atlanta/O=GTRI/CN=ident_map"
$~ openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert \
-req -days 1825 -CA client-intermediate.crt -CAkey client-intermediate.key \
-CAcreateserial -in client.csr -out client.crt
$~ cat server.crt server-intermediate.crt ca.crt > ./server-full.crt
# place ca.crt, server.key, server-full.crt in the $PGDATA directory
@ -191,7 +206,8 @@ Copy the certificates on the client (update paths as needed)
$~ mkdir $CLIENT_HOME/.postgresql
$~ cp ca.crt $CLIENT_HOME/.postgresql/root.crt
$~ cp client.key $CLIENT_HOME/.postgresql/postgresql.key
$~ cat client.crt client-intermediate.crt ca.crt > $CLIENT_HOME/.postgresql/postgresql.crt
$~ cat client.crt client-intermediate.crt ca.crt \
> $CLIENT_HOME/.postgresql/postgresql.crt
$~ chmod 600 $CLIENT_HOME/.postgresql/*
```

BIN
PROCESS.pdf
View File

Write Preview
Loading…
Cancel
Save