An example how to use cfssl
The key path is ~/.config/demo-cfssl at that place all the files are stored:
CA, ICA and server DN.O: 000 Special Org
Other components of the X.509 DN (distingushed name is in *.json)
| file name | purpose - description |
|---|---|
| ca-bundle.pem | root CA + intermediate CA certs |
| ca-key.pem | private key for root CA |
| ca.csr | CA signing request |
| ca.pem | root CA cert |
| dhparam.pem | DH parameters used by TLS server |
| ica-key.pem | intermediate CA cert |
| ica-self.pem | self-signed interediate CA cert |
| ica.csr | intermediate CA signing requests |
| ica.pem | root CA signed intermediate CA certificate |
| localhost-server-bundle.pem | server cert + ca-bundle |
| localhost-server-haproxy.pem | server bundle + private key for server cert |
| localhost-server-key.pem | server private key |
| localhost-server.csr | server cert signign request |
| localhost-server.pem | server cert alone |
This line in ./mkCert.sh creates the actual host certificate:
# ...
mkCert 03_host.json $C_TYPE $C_FN
# ...parameters:
C_TYPE=serverref. profiles.jsonC_FNis just a filename.
You should also tweak 03_host.json either via
jq . 03_host.json | jq '.names[0].ST="Some" | .hosts=["super.name.lan"]' >tmp-03_host.jsonAlso a thing to look at is the profiles.json...
This example runs containerized in particular Dockerized.
Platform binaries to be downloaded at https://github.com/cloudflare/cfssl/releases:
- cfssl-bundle
- cfssl-certinfo
- cfssl-newkey
- cfssl-scan
- cfssljson - program, which takes the JSON output from the cfssl and multirootca programs and writes certificates, keys, CSRs, and bundles to disk
- cfssl - program, which is the canonical command line utility using the CFSSL packages
- mkbundle - program is used to build certificate pool bundles
- multirootca - program, which is a certificate authority server that can use multiple signing keys
...it is GO-Lang: go get github.com/cloudflare/cfssl/cmd/...
Firefox: have independed certificate store (incl.RootCA). Chrome & Safari & Edge/Chrome use the system cert store (incl.RootCA).
export BP="$HOME/.config/demo-ssl"
# following does not work with `update-ca-certificates`
# export DST="/usr/share/ca-certificates/extra"
export DST="/usr/local/share/ca-certificates/extra"
sudo mkdir -p "$DST"
cat "$BP/ca.pem" | sudo tee "$DST/000ca.crt"
sudo update-ca-certificates
# sudo dpkg-reconfigure ca-certificatescheck intermediate CA CERT w/explicit root CA CERT:
openssl verify -CAfile "$BP/ca.pem" -verbose "$BP/ica.pem"check intermediate CA CERT w/system root CA CERT - verifies the deployment went well:
openssl verify -verbose "$BP/ica.pem"Note: in the following examples the parameter
-untrustedis the actual and correct one, as the trustworthiness is verified by the root CA...
check host CERT w/explicit root CA:
openssl verify -verbose -CAfile "$BP/ca.pem" \
-untrusted "$BP/ica.pem" "$BP/localhost-server.pem"check host CERT w/system root CA:
openssl verify -verbose -untrusted "$BP/ica.pem" "$BP/localhost-server.pem"Note: cfssl does not support plug-in (USB, Bluetooth, NFC) PKCS#11 tokens :-(
This addition presents the use of generated CA's keys with haproxy in Docker container.
To test at first run the certificate creation as described above and the run ./demoHaproxy.sh