Last active
November 17, 2018 22:35
-
-
Save riyad/e9dd6e688ea5de69a65a to your computer and use it in GitHub Desktop.
Using CFSSL building your own CA and generating service specific key, cert and chain files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "Another Intermediate CA", | |
"hosts": [ | |
"" | |
], | |
"key": { | |
"algo": "ecdsa", | |
"size": 384 | |
}, | |
"names": [ | |
{ | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"signing": { | |
"default": { | |
"expiry": "8760h" | |
}, | |
"profiles": { | |
"intermediate": { | |
"ca_constraint": { | |
"is_ca": true | |
}, | |
"usages": [ | |
"cert sign", | |
"crl sign" | |
], | |
"expiry": "8760h" | |
}, | |
"server": { | |
"usages": [ | |
"server auth" | |
], | |
"expiry": "8760h" | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "some.foo.tld", | |
"hosts": [ | |
"some.foo.tld" | |
], | |
"key": { | |
"algo": "rsa", | |
"size": 4096 | |
}, | |
"names": [ | |
{ | |
"OU": "IMAP Service" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "some.foo.tld", | |
"hosts": [ | |
"some.foo.tld" | |
], | |
"key": { | |
"algo": "rsa", | |
"size": 4096 | |
}, | |
"names": [ | |
{ | |
"OU": "SMTP Service" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "Foo Root CA", | |
"key": { | |
"algo": "ecdsa", | |
"size": 384 | |
}, | |
"names": [ | |
{ | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "some.foo.tld", | |
"hosts": [ | |
"some.foo.tld" | |
], | |
"key": { | |
"algo": "ecdsa", | |
"size": 384 | |
}, | |
"names": [ | |
{ | |
"OU": "Web Service" | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Author: Riyad Preukschas <riyad@informatik.uni-bremen.de> | |
# License: MIT | |
# | |
# Generates root, internediate CA and service keys. | |
function generate_root_ca() { | |
local root_ca="$1" | |
echo "Generating root CA into ${root_ca}/" | |
[[ ! -d "${root_ca}" ]] && mkdir "${root_ca}" | |
cfssl genkey -initca "${root_ca}_csr.json" | cfssljson -bare "${root_ca}/root" | |
} | |
function generate_intermediate_ca() { | |
local root_ca="$1" | |
local intermediate_ca="$2" | |
echo "Generating intermediate CA into ${intermediate_ca}/ (for root CA ${root_ca}/)" | |
[[ ! -d "${intermediate_ca}" ]] && mkdir "${intermediate_ca}" | |
cfssl gencert -ca "${root_ca}/root.pem" -ca-key "${root_ca}/root-key.pem" -config="config.json" -profile="intermediate" "${intermediate_ca}_csr.json" | cfssljson -bare "${intermediate_ca}/intermediate" | |
} | |
function generate_service_keys() { | |
local root_ca="$1" | |
local intermediate_ca="$2" | |
local service_type="$3" | |
local key_name="$4" | |
local dist_dir="${intermediate_ca}/dist" | |
echo "Generating ${service_type} key pair into ${intermediate_ca}/" | |
[[ ! -d "${dist_dir}" ]] && mkdir "${dist_dir}" | |
cfssl gencert -ca "${intermediate_ca}/intermediate.pem" -ca-key "${intermediate_ca}/intermediate-key.pem" -config="config.json" -profile="server" "${key_name}_csr.json" | cfssljson -bare "${intermediate_ca}/${key_name}" | |
cp "${intermediate_ca}/${key_name}.pem" "${dist_dir}/" | |
cp "${intermediate_ca}/${key_name}-key.pem" "${dist_dir}/" | |
case "${service_type}" in | |
dovecot) | |
cat "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}-cachain.pem" | |
;; | |
nginx) | |
cat "${intermediate_ca}/${key_name}.pem" "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}.pem" | |
;; | |
postfix) | |
cat "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}-cachain.pem" | |
;; | |
esac | |
} | |
# Foo root CA | |
ROOT_CA="foo-root-ca" | |
#generate_root_ca "${ROOT_CA}" | |
# Some intermediate CA | |
generate_intermediate_ca "${ROOT_CA}" "some-intermediate-ca" | |
generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "nginx" "foo-some-web" | |
# Another intermediate CA | |
generate_intermediate_ca "${ROOT_CA}" "another-intermediate-ca" | |
generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "dovecot" "foo-another-imap" | |
generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "postfix" "foo-another-smtp" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"CN": "Some Intermediate CA", | |
"hosts": [ | |
"" | |
], | |
"key": { | |
"algo": "ecdsa", | |
"size": 384 | |
}, | |
"names": [ | |
{ | |
} | |
] | |
} |
Fixed some issues with this Gist:
- Updated
cfssl_config.json
:- Made newer versions of
cfssl
recognize the theis_ca
option for intermediate CAs - Removed unnecessary entries in
usages
sections
- Made newer versions of
- Renamed intermediate CAs
- Added missing example CSRs
- Updated
renew-certs.sh
:- Now checks if directories exist before running
mkdir
(produces cleaner logs) - Example can now be run without errors
- Now checks if directories exist before running
Update:
- Cleaned up
renew-certs.sh
by extracting functions for generating root CA, intermediate CA and service keys.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this. PKI is still way too difficult to sort out.