This article describes how to generate certs using CFSSL
To generate root CA, cfssl does not respect options for config.json
so you will need to put all information in csr file
ca/ca-csr.json
{
"CN": "X-Truder networks",
"key": {
"algo": "ecdsa",
"size": 256
},
"ca": {
"expiry": "87600h"
},
"names": [
{
"C": "SI",
"ST": "Ljubljana",
"L": "Ljubljana",
"O": "X-Truder",
"OU": "Security"
}
]
}
To generate CA use the following command:
cfssl gencert -initca ./ca/ca-csr.json | cfssljson -bare ./ca/ca
config.json
{
"signing": {
"profiles": {
"server": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "720h"
},
"client": {
"usages": [
"digital signature",
"cert sign",
"crl sign",
"signing"
],
"expiry": "24h"
},
"signing": {
"usages": [
"digital signature",
"cert sign",
"crl sign",
"signing"
],
"expiry": "8760h",
"ca_constraint": {"is_ca": true, "max_path_len":0, "max_path_len_zero": true}
}
}
}
}
This config defines three profiles for: server
, client
and for signing
To generate client certificate we create client/client-csr.json
file:
{
"CN": "client.x-truder.net",
"key": {
"algo": "ecdsa",
"size": 256
}
}
We generate certificate using following command:
cfssl gencert -ca ca/ca.pem -ca-key ca/ca-key.pem -config config.json -profile client client/client-csr.json | cfssljson -bare client/client
As we can see here we use previously create config.json
file and client
profile
To generate server certificate we create server/server-csr.json
file:
{
"CN": "newserver.x-truder.net",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "SI",
"ST": "Ljubljana",
"L": "Ljubljana",
"O": "X-Truder",
"OU": "Security"
}
],
"hosts": ["newserver.x-truder.net"]
}