Generating certs using CFSS

This article describes how to generate certs using CFSSL

Generating root CA

To generate root CA, cfssl does not respect options for config.json so you will need to put all information in csr file

ca/ca-csr.json

{
  "CN": "X-Truder networks",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "ca": {
      "expiry": "87600h"
  },
  "names": [
    {
      "C": "SI",
      "ST": "Ljubljana",
      "L": "Ljubljana",
      "O": "X-Truder",
      "OU": "Security"
    }
  ]
}

To generate CA use the following command:

cfssl gencert -initca ./ca/ca-csr.json | cfssljson -bare ./ca/ca

Creating cfssl configuration file with profiles

config.json

{
    "signing": {
        "profiles": {
            "server": {
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "720h"
            },
            "client": {
                "usages": [
                    "digital signature",
                    "cert sign",
                    "crl sign",
                    "signing"
                ],
                "expiry": "24h"
            },
            "signing": {
                "usages": [
                    "digital signature",
                    "cert sign",
                    "crl sign",
                    "signing"
                ],
                "expiry": "8760h",
                "ca_constraint": {"is_ca": true, "max_path_len":0, "max_path_len_zero": true}
            }
        }
    }
}

This config defines three profiles for: server, client and for signing

Generating client certificate

To generate client certificate we create client/client-csr.json file:

{
  "CN": "client.x-truder.net",
  "key": {
    "algo": "ecdsa",
    "size": 256
  }
}

We generate certificate using following command:

cfssl gencert -ca ca/ca.pem -ca-key ca/ca-key.pem -config config.json -profile client client/client-csr.json | cfssljson -bare client/client

As we can see here we use previously create config.json file and client profile

Generating server client

To generate server certificate we create server/server-csr.json file:

{
  "CN": "newserver.x-truder.net",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C": "SI",
      "ST": "Ljubljana",
      "L": "Ljubljana",
      "O": "X-Truder",
      "OU": "Security"
    }
  ],
  "hosts": ["newserver.x-truder.net"]
}