The CFSSL README is really good. Here's some additional notes.
- Change the expiry of the CA
- Change the default expiry of signed certificates
- Print information about a PEM-encoded certificate
Set the ca.expiry in the CSR. In the example below, we set the CA certificate to expiry in 10 years (default is 5 years).
{
"hosts": [
"my-ca.example.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
],
"ca": {
"expiry": "87600h"
}
}Then, use that CSR when generating the self-signed root CA certificate and private key.
cfssl genkey -initca csr.json | cfssljson -bare caCreate a JSON file that looks like the following. Provide it as the config flag to cfssl gencert.
In the example below, we set the expiry of the generated certificate to 5 years (default is 1 year).
{
"signing": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "43800h"
}
}
}cfssl gencert -ca ca.pem -ca-key ca-key.pem -config config.json csr.jsonYou can also define signing profiles in the config file and select them with the profile flag. See the Configuration section in doc/cmd/cfssl.txt for more information.
This will print information about the certificate in CFSSL's standard JSON format.
cfssl certinfo -cert ca.pem