egutierrez
1b56f14c20
generate-certs.sh mints the bus CA and a NATS server certificate whose SANs cover the public IP (135.125.201.30), the WireGuard IP (10.42.0.1), the om hostname, and localhost/127.0.0.1 for on-host smoke tests (all overridable via env). Only the public ca.crt is committed; ca.key, server.key and server.crt are gitignored and distributed out of band. README documents generation, use and rotation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
7 lines
186 B
Plaintext
7 lines
186 B
Plaintext
# Private keys and the deploy-specific server certificate never go to git.
|
|
# Only the public CA certificate (ca.crt) is versioned, because clients embed it.
|
|
*.key
|
|
*.csr
|
|
*.srl
|
|
server.crt
|