fix README.md for ca_generator.sh (#124)

secretflow · Aug 8, 2023 · e3570e9 · e3570e9
1 parent 5de9c74
commit e3570e9
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/test-tools/README.md b/test-tools/README.md
@@ -8,7 +8,7 @@ If you want to enable tls in SCQL but don't have existing CA files, ca_generator
 
 Run the command below to generate CA files:
 ```sh
-sh ca_generator.sh
+bash ca_generator.sh
 ```
 
 If the script completes successfully, you can obtain these CA files as follows:
@@ -46,6 +46,7 @@ Deploy CA files in your environments for SCQL to use:
 
 The default generated CA files may not work well in your environment, if you encounter problems, please check the following:
 
-- Script default add ``scdb/engine_alice/engine_bob/engine_carol`` to ``subjectAltName`` and generate CA for these nodes, please modifying if nodes' hosts do not matched.
+- Script default add hosts ``localhost/scdb/engine_alice/engine_bob/engine_carol`` to ``subjectAltName``, so the generated CA can only be used for these hosts. please modifying if nodes' hosts do not matched.
+  > e.g: If your scdb listens on IP xxx, you need to add ``IP.2 = xxx`` to ``[sans]`` in ca_generator.sh
 
-- Auto generated root-ca.crt may not be trusted by default, try to use trusted CA as root-ca.crt and run the script again, please refer to the comments at the beginning of the ca_generator.sh for usage. If and only if in linux ``test environments``, you can optionally cp root-ca.crt to /etc/ssl/certs.
+- Auto generated root-ca.crt may not be trusted by default, try to use trusted CA as root-ca.crt and run the script again, please refer to the comments at the beginning of the ca_generator.sh for usage. If and only if in linux ``test environments``, you can optionally cp root-ca.crt to /etc/ssl/certs in the environments running scdbclient and scdb
diff --git a/test-tools/ca_generator.sh b/test-tools/ca_generator.sh
@@ -67,7 +67,14 @@ subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
-subjectAltName = DNS:localhost,DNS:scdb,DNS:engine_alice,DNS:engine_bob,DNS:engine_carol
+subjectAltName = @sans
+[sans]
+DNS.1 = localhost
+DNS.2 = scdb
+DNS.3 = engine_alice
+DNS.4 = engine_bob
+DNS.5 = engine_carol
+IP.1 = 127.0.0.1
 EOF
 
 # Use existing root CA if present