Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Using CFSSL building your own CA and generating service specific key, cert and chain files.
{
"CN": "Another Intermediate CA",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
}
]
}
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate": {
"ca_constraint": {
"is_ca": true
},
"usages": [
"cert sign",
"crl sign"
],
"expiry": "8760h"
},
"server": {
"usages": [
"server auth"
],
"expiry": "8760h"
}
}
}
}
{
"CN": "some.foo.tld",
"hosts": [
"some.foo.tld"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"OU": "IMAP Service"
}
]
}
{
"CN": "some.foo.tld",
"hosts": [
"some.foo.tld"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"OU": "SMTP Service"
}
]
}
{
"CN": "Foo Root CA",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
}
]
}
{
"CN": "some.foo.tld",
"hosts": [
"some.foo.tld"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"OU": "Web Service"
}
]
}
#!/bin/sh
# Foo root CA
ROOT_CA="foo-root-ca"
[[ ! -d "${ROOT_CA}" ]] && mkdir "${ROOT_CA}"
#cfssl genkey -initca "${ROOT_CA}_csr.json" | cfssljson -bare "${ROOT_CA}/root"
# Some intermediate CA
INTERMEDIATE_CA="some-intermediate-ca"
[[ ! -d "${INTERMEDIATE_CA}" ]] && mkdir "${INTERMEDIATE_CA}"
#cfssl gencert -ca "${ROOT_CA}/root.pem" -ca-key "${ROOT_CA}/root-key.pem" -config="cfssl_config.json" -profile="intermediate" "${INTERMEDIATE_CA}_csr.json" | cfssljson -bare "${INTERMEDIATE_CA}/intermediate"
SERVICE="nginx"
CERT_NAME="foo-some-web"
[[ ! -d "${INTERMEDIATE_CA}/${SERVICE}" ]] && mkdir "${INTERMEDIATE_CA}/${SERVICE}"
cfssl gencert -ca "${INTERMEDIATE_CA}/intermediate.pem" -ca-key "${INTERMEDIATE_CA}/intermediate-key.pem" -config="cfssl_config.json" -profile="server" "${CERT_NAME}_csr.json" | cfssljson -bare "${INTERMEDIATE_CA}/${CERT_NAME}"
cp "${INTERMEDIATE_CA}/${CERT_NAME}-key.pem" "${INTERMEDIATE_CA}/${SERVICE}/"
cat "${INTERMEDIATE_CA}/${CERT_NAME}.pem" "${INTERMEDIATE_CA}/intermediate.pem" "${ROOT_CA}/root.pem" > "${INTERMEDIATE_CA}/${SERVICE}/${CERT_NAME}.pem"
# Another intermediate CA
INTERMEDIATE_CA="another-intermediate-ca"
[[ ! -d "${INTERMEDIATE_CA}" ]] && mkdir "${INTERMEDIATE_CA}"
#cfssl gencert -ca "${ROOT_CA}/root.pem" -ca-key "${ROOT_CA}/root-key.pem" -config="cfssl_config.json" -profile="intermediate" "${INTERMEDIATE_CA}_csr.json" | cfssljson -bare "${INTERMEDIATE_CA}/intermediate"
SERVICE="dovecot"
CERT_NAME="foo-another-imap"
[[ ! -d "${INTERMEDIATE_CA}/${SERVICE}" ]] && mkdir "${INTERMEDIATE_CA}/${SERVICE}"
cfssl gencert -ca "${INTERMEDIATE_CA}/intermediate.pem" -ca-key "${INTERMEDIATE_CA}/intermediate-key.pem" -config="cfssl_config.json" -profile="server" "${CERT_NAME}_csr.json" | cfssljson -bare "${INTERMEDIATE_CA}/${CERT_NAME}"
cp "${INTERMEDIATE_CA}/${CERT_NAME}.pem" "${INTERMEDIATE_CA}/${SERVICE}/"
cp "${INTERMEDIATE_CA}/${CERT_NAME}-key.pem" "${INTERMEDIATE_CA}/${SERVICE}/"
cat "${INTERMEDIATE_CA}/intermediate.pem" "${ROOT_CA}/root.pem" > "${INTERMEDIATE_CA}/${SERVICE}/${CERT_NAME}-cachain.pem"
SERVICE="postfix"
CERT_NAME="foo-another-smtp"
[[ ! -d "${INTERMEDIATE_CA}/${SERVICE}" ]] && mkdir "${INTERMEDIATE_CA}/${SERVICE}"
cfssl gencert -ca "${INTERMEDIATE_CA}/intermediate.pem" -ca-key "${INTERMEDIATE_CA}/intermediate-key.pem" -config="cfssl_config.json" -profile="server" "${CERT_NAME}_csr.json" | cfssljson -bare "${INTERMEDIATE_CA}/${CERT_NAME}"
cp "${INTERMEDIATE_CA}/${CERT_NAME}.pem" "${INTERMEDIATE_CA}/${SERVICE}/"
cp "${INTERMEDIATE_CA}/${CERT_NAME}-key.pem" "${INTERMEDIATE_CA}/${SERVICE}/"
cat "${INTERMEDIATE_CA}/intermediate.pem" "${ROOT_CA}/root.pem" > "${INTERMEDIATE_CA}/${SERVICE}/${CERT_NAME}-cachain.pem"
{
"CN": "Some Intermediate CA",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
}
]
}

Thanks for this. PKI is still way too difficult to sort out.

Owner

riyad commented Oct 4, 2016

Fixed some issues with this Gist:

  • Updated cfssl_config.json:
    • Made newer versions of cfssl recognize the the is_ca option for intermediate CAs
    • Removed unnecessary entries in usages sections
  • Renamed intermediate CAs
  • Added missing example CSRs
  • Updated renew-certs.sh:
    • Now checks if directories exist before running mkdir (produces cleaner logs)
    • Example can now be run without errors
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment