Skip to content

Instantly share code, notes, and snippets.

@radekg

radekg/ca-generate.sh

Last active June 23, 2022 11:00
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save radekg/3911a9446e6ddebf4f76235f56d7585a to your computer and use it in GitHub Desktop.
Save radekg/3911a9446e6ddebf4f76235f56d7585a to your computer and use it in GitHub Desktop.
Download ZIP
cfssl root CA with intermediate
Raw
ca-generate.sh
#!/bin/bash
set -eu
CA_NAME=${CA_NAME:-ca}
# generate a root CA:
cfssl gencert -initca config-root.json | cfssljson -bare "${CA_NAME}"
rm "${CA_NAME}.csr"
# generate an intermediate CA:
cfssl gencert -initca config-intermediate.json | cfssljson -bare "${CA_NAME}-intermediate"
cfssl sign -ca ca.pem -ca-key ca-key.pem \
-config profiles.json \
-profile intermediate_ca \
"${CA_NAME}-intermediate.csr" | cfssljson -bare "${CA_NAME}-intermediate"
rm "${CA_NAME}-intermediate.csr"
Raw
cert-generate.sh
#!/bin/bash
CA_NAME=${CA_NAME:-ca}
cfssl gencert \
-ca "${CA_NAME}-intermediate.pem" \
-ca-key "${CA_NAME}-intermediate-key.pem" \
-config profiles.json \
-profile=peer service.json | cfssljson -bare service-peer
cfssl gencert \
-ca "${CA_NAME}-intermediate.pem" \
-ca-key "${CA_NAME}-intermediate-key.pem" \
-config profiles.json \
-profile=server service.json | cfssljson -bare service-server
cfssl gencert \
-ca "${CA_NAME}-intermediate.pem" \
-ca-key "${CA_NAME}-intermediate-key.pem" \
-config profiles.json \
-profile=client service.json | cfssljson -bare service-client
Raw
config-intermediate.json
{
"CN": "Intermediate CA",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [{
"C": "DE",
"L": "Monschau",
"O": "CA",
"OU": "Intermediate CA",
"ST": "Germany"
}]
}
Raw
config-root.json
{
"CN": "Root CA",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [{
"C": "DE",
"L": "Monschau",
"O": "CA",
"OU": "Root CA",
"ST": "Germany"
}]
}
Raw
profiles.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate_ca": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
"server auth",
"client auth"
],
"expiry": "8760h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
}
},
"peer": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth",
"server auth"
],
"expiry": "8760h"
},
"server": {
"usages": [
"signing",
"digital signing",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
],
"expiry": "8760h"
}
}
}
}
Raw
service.json
{
"CN": "service.namespace.svc.cluster.local",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [{
"C": "DE",
"L": "Monschau",
"O": "Service",
"OU": "Service Hosts",
"ST": "Germany"
}],
"hosts": [
"service.namespace.svc.cluster.local",
"localhost"
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment