Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using CFSSL building your own CA and generating service specific key, cert and chain files.
{
"CN": "Another Intermediate CA",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 384
},
"names": [
{
}
]
}
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate": {
"ca_constraint": {
"is_ca": true
},
"usages": [
"cert sign",
"crl sign"
],
"expiry": "8760h"
},
"server": {
"usages": [
"server auth"
],
"expiry": "8760h"
}
}
}
}
{
"CN": "some.foo.tld",
"hosts": [
"some.foo.tld"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"OU": "IMAP Service"
}
]
}
{
"CN": "some.foo.tld",
"hosts": [
"some.foo.tld"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"OU": "SMTP Service"
}
]
}
{
"CN": "Foo Root CA",
"key": {
"algo": "ecdsa",
"size": 384
},
"names": [
{
}
]
}
{
"CN": "some.foo.tld",
"hosts": [
"some.foo.tld"
],
"key": {
"algo": "ecdsa",
"size": 384
},
"names": [
{
"OU": "Web Service"
}
]
}
#!/bin/bash
#
# Riyad Preukschas <riyad@informatik.uni-bremen.de>
#
# Generates root, internediate CA and service keys.
function generate_root_ca() {
local root_ca="$1"
echo "Generating root CA into ${root_ca}/"
[[ ! -d "${root_ca}" ]] && mkdir "${root_ca}"
cfssl genkey -initca "${root_ca}_csr.json" | cfssljson -bare "${root_ca}/root"
}
function generate_intermediate_ca() {
local root_ca="$1"
local intermediate_ca="$2"
echo "Generating intermediate CA into ${intermediate_ca}/ (for root CA ${root_ca}/)"
[[ ! -d "${intermediate_ca}" ]] && mkdir "${intermediate_ca}"
cfssl gencert -ca "${root_ca}/root.pem" -ca-key "${root_ca}/root-key.pem" -config="config.json" -profile="intermediate" "${intermediate_ca}_csr.json" | cfssljson -bare "${intermediate_ca}/intermediate"
}
function generate_service_keys() {
local root_ca="$1"
local intermediate_ca="$2"
local service_type="$3"
local key_name="$4"
local dist_dir="${intermediate_ca}/dist"
echo "Generating ${service_type} key pair into ${intermediate_ca}/"
[[ ! -d "${dist_dir}" ]] && mkdir "${dist_dir}"
cfssl gencert -ca "${intermediate_ca}/intermediate.pem" -ca-key "${intermediate_ca}/intermediate-key.pem" -config="config.json" -profile="server" "${key_name}_csr.json" | cfssljson -bare "${intermediate_ca}/${key_name}"
cp "${intermediate_ca}/${key_name}.pem" "${dist_dir}/"
cp "${intermediate_ca}/${key_name}-key.pem" "${dist_dir}/"
case "${service_type}" in
dovecot)
cat "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}-cachain.pem"
;;
nginx)
cat "${intermediate_ca}/${key_name}.pem" "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}.pem"
;;
postfix)
cat "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}-cachain.pem"
;;
esac
}
# Foo root CA
ROOT_CA="foo-root-ca"
#generate_root_ca "${ROOT_CA}"
# Some intermediate CA
generate_intermediate_ca "${ROOT_CA}" "some-intermediate-ca"
generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "nginx" "foo-some-web"
# Another intermediate CA
generate_intermediate_ca "${ROOT_CA}" "another-intermediate-ca"
generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "dovecot" "foo-another-imap"
generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "postfix" "foo-another-smtp"
{
"CN": "Some Intermediate CA",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 384
},
"names": [
{
}
]
}
@mgoodness

This comment has been minimized.

Show comment
Hide comment
@mgoodness

mgoodness Dec 10, 2015

Thanks for this. PKI is still way too difficult to sort out.

mgoodness commented Dec 10, 2015

Thanks for this. PKI is still way too difficult to sort out.

@riyad

This comment has been minimized.

Show comment
Hide comment
@riyad

riyad Oct 4, 2016

Fixed some issues with this Gist:

  • Updated cfssl_config.json:
    • Made newer versions of cfssl recognize the the is_ca option for intermediate CAs
    • Removed unnecessary entries in usages sections
  • Renamed intermediate CAs
  • Added missing example CSRs
  • Updated renew-certs.sh:
    • Now checks if directories exist before running mkdir (produces cleaner logs)
    • Example can now be run without errors
Owner

riyad commented Oct 4, 2016

Fixed some issues with this Gist:

  • Updated cfssl_config.json:
    • Made newer versions of cfssl recognize the the is_ca option for intermediate CAs
    • Removed unnecessary entries in usages sections
  • Renamed intermediate CAs
  • Added missing example CSRs
  • Updated renew-certs.sh:
    • Now checks if directories exist before running mkdir (produces cleaner logs)
    • Example can now be run without errors
@riyad

This comment has been minimized.

Show comment
Hide comment
@riyad

riyad Oct 8, 2017

Update:

  • Cleaned up renew-certs.sh by extracting functions for generating root CA, intermediate CA and service keys.
Owner

riyad commented Oct 8, 2017

Update:

  • Cleaned up renew-certs.sh by extracting functions for generating root CA, intermediate CA and service keys.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment