Several updates #4

* Improved offline install docs
* Migrated token mechanism backend to SQL
* Preliminary token mechanism frontend integration
* Add clock skew tolerance for OCSP
* Add 'ldap computer filter' support for Kerberized machine enroll
* Include OCSP and CRL URL-s in certificates, controlled by profile.conf
* Better certificate extension handling
* Place DH parameters file in /etc/ssl/dhparam.pem
* Always talk to CA over port 8443 for 'certidude enroll'
* Hardened frontend nginx config
* Separate log files for frontend nginx
* Better provisioning heuristics
* Add sample site.sh config for LEDE image builder
* Add more device profiles for LEDE image builder
* Various bugfixes and improvements

doc/overlay/usr/bin/certidude-enroll

@@ -122,6 +122,11 @@ logger -t certidude -s "Certificate md5sum: $(md5sum -b $CERTIFICATE_PATH.part)"
 
 uci commit
 
+echo $AUTHORITY_PATH >> /etc/sysupgrade.conf
+echo $CERTIFICATE_PATH >> /etc/sysupgrade.conf
+echo $KEY_PATH >> /etc/sysupgrade.conf
+echo $REQUEST_PATH >> /etc/sysupgrade.conf
+
 mv $CERTIFICATE_PATH.part $CERTIFICATE_PATH
 
 # Start services

doc/overlay/usr/bin/certidude-enroll-renew

@@ -8,6 +8,8 @@ CERTIFICATE_PATH=$DIR/host_cert.pem
 REQUEST_PATH=$DIR/host_req.pem
 KEY_PATH=$DIR/host_key.pem
 
+# TODO: fix Accepted 202 here
+
 curl -f -L \
     -H "Content-Type: application/pkcs10" \
     --data-binary @$REQUEST_PATH \