The CFSSL README is really good. Here's some additional notes.
- Change the expiry of the CA
- Change the default expiry of signed certificates
- Print information about a PEM-encoded certificate
Set the ca.expiry
in the CSR. In the example below, we set the CA certificate to expiry in 10 years (default is 5 years).
{
"hosts": [
"my-ca.example.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
],
"ca": {
"expiry": "87600h"
}
}
Then, use that CSR when generating the self-signed root CA certificate and private key.
cfssl genkey -initca csr.json | cfssljson -bare ca
Create a JSON file that looks like the following. Provide it as the config
flag to cfssl gencert
.
In the example below, we set the expiry of the generated certificate to 5 years (default is 1 year).
{
"signing": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "43800h"
}
}
}
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config config.json csr.json
You can also define signing profiles in the config file and select them with the profile
flag. See the Configuration section in doc/cmd/cfssl.txt
for more information.
This will print information about the certificate in CFSSL's standard JSON format.
cfssl certinfo -cert ca.pem