GothenburgBitFactory
self-signed certs are unnecessary and avoidable
The documentation implies that your only options are self-signed certs, or buying a cert from a provider. Both of these are problematic: A publicly verifiable cert is pointless for a private server (which most of us are using), and you can set up your own (private/offline) CA to avoid self-signing.
(The only reason to resort to self-signed certs is for a product that has to be configured by https, to get around the chicken-egg problem. That doesn't apply to taskserver.)
Here is a minimal shell session to set up your own CA and generate the files that the server and client need. This uses the LibreSSL/OpenSSL toolset, but it could probably be translated to GnuTLS (certtool et al). It puts a passphrase on the CA key but not the server and client keys.
$ rm -fr pki
$ mkdir pki
$ cd pki
$ cat <<@ >taskd.cnf
[ca]
default_ca = ca.cert
unique_subject = yes
[ca.cert]
certificate = ca.cert.pem
private_key = ca.key.pem
new_certs_dir = .
database = index.txt
serial = serial
default_md = sha256
policy = optional
email_in_dn = no
default_days = 180
default_crl_days= 90
[optional]
@
$ touch index.txt index.txt.attr
$ openssl rand -hex -out serial 16
$ openssl req -new -newkey rsa:2048 -keyout ca.key.pem -out ca.cert.pem \
-x509 -days 365 -subj '/CN=taskd CA'
Generating a RSA private key
.+++++
........................................................+++++
writing new private key to 'ca.key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
$ openssl req -new -newkey rsa:2048 -keyout server.key.pem -out server.req.pem \
-nodes -subj '/CN=taskd server'
Generating a RSA private key
..................................................................+++++
......................................+++++
writing new private key to 'server.key.pem'
-----
$ openssl req -new -newkey rsa:2048 -keyout client.key.pem -out client.req.pem \
-nodes -subj '/CN=taskd client'
Generating a RSA private key
..+++++
...................................................................................+++++
writing new private key to 'client.key.pem'
-----
$ openssl ca -config taskd.cnf -gencrl -cert ca.cert.pem -out server.crl.pem
Using configuration from taskd.cnf
Enter pass phrase for ca.key.pem:
$ openssl ca -config taskd.cnf -in server.req.pem -out server.cert.pem -batch
Using configuration from taskd.cnf
Enter pass phrase for ca.key.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'taskd server'
Certificate is to be certified until Jul 5 11:31:36 2019 GMT (180 days)
Write out database with 1 new entries
Data Base Updated
$ openssl ca -config taskd.cnf -in client.req.pem -out client.cert.pem -batch
Using configuration from taskd.cnf
Enter pass phrase for ca.key.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'taskd client'
Certificate is to be certified until Jul 5 11:31:38 2019 GMT (180 days)
Write out database with 1 new entries
Data Base Updated
$ openssl rsa -in client.key.pem -out client.pk1.pem
writing RSA key
$ # Additional step if client (e.g. Android Taskwarrior) requires private key
$ # in PKCS#1 format
$ openssl rsa -in client.key.pem -out client.pk1.pem
writing RSA key
$ tail -n1 ca.cert.pem server.crl.pem server.cert.pem server.key.pem \
client.cert.pem client.key.pem client.pk1.pem
==> ca.cert.pem <==
-----END CERTIFICATE-----
==> server.crl.pem <==
-----END X509 CRL-----
==> server.cert.pem <==
-----END CERTIFICATE-----
==> server.key.pem <==
-----END PRIVATE KEY-----
==> client.cert.pem <==
-----END CERTIFICATE-----
==> client.key.pem <==
-----END PRIVATE KEY-----
==> client.pk1.pem <==
-----END RSA PRIVATE KEY-----
It could of course be modularized like the generate scripts, but that's something that easy-rsa has already done.
My suggestion is to update the scripts and documentation to facilitate making a CA instead of self-signing.
