Skip to content

jschell12/cfssl-pki-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

.gitignore

.gitignore

 
 

README.md

README.md

 
 

client-requester-config.json

client-requester-config.json

 
 

client-requester-csr.json

client-requester-csr.json

 
 

intermediary-config.json

intermediary-config.json

 
 

intermediary-csr.json

intermediary-csr.json

 
 

multiroot-profile.ini

multiroot-profile.ini

 
 

request-profile.json

request-profile.json

 
 

root-csr.json

root-csr.json

 
 

server-config.json

server-config.json

 
 

server-csr.json

server-csr.json

 
 

Repository files navigation

Simple PKI Example with cfssl, cfssljson, and multirootca

This example was inspired by Building a Secure Public Key Infrastructure for Kubernetes by Mike Newswanger.

Installation:

See the official cfssl README.

For multirootca installation:

go get -u github.com/cloudflare/cfssl/cmd/multirootca

Generating the Certificate Authorities and Associated Certificate Signing Server

Generate root certificate authority certificate:

$ cfssl gencert -initca root-csr.json | cfssljson -bare root-ca

2019/04/06 11:58:11 [INFO] generating a new CA key and certificate from CSR
2019/04/06 11:58:11 [INFO] generate received request
2019/04/06 11:58:11 [INFO] received CSR
2019/04/06 11:58:11 [INFO] generating key: rsa-2048
2019/04/06 11:58:12 [INFO] encoded CSR
2019/04/06 11:58:12 [INFO] signed certificate with serial number 167891568625587002661900040634378932042675797874

Generate an intermediary certificate authority certificate:

$ cfssl gencert -ca=root-ca.pem -ca-key=root-ca-key.pem -config=intermediary-config.json -hostname=0.0.0.0 -profile=default intermediary-csr.json | cfssljson -bare intermediary-ca

2019/04/06 11:58:18 [INFO] generate received request
2019/04/06 11:58:18 [INFO] received CSR
2019/04/06 11:58:18 [INFO] generating key: rsa-2048
2019/04/06 11:58:18 [INFO] encoded CSR
2019/04/06 11:58:18 [INFO] signed certificate with serial number 202678780292982818036866864115695594468867817862

Generate a server leaf certificate: (For secure connections to multirootca server)

$ cfssl gencert -ca=intermediary-ca.pem -ca-key=intermediary-ca-key.pem -config=server-config.json -hostname=0.0.0.0 -profile=default server-csr.json | cfssljson -bare server

2019/04/06 11:58:25 [INFO] generate received request
2019/04/06 11:58:25 [INFO] received CSR
2019/04/06 11:58:25 [INFO] generating key: rsa-2048
2019/04/06 11:58:25 [INFO] encoded CSR
2019/04/06 11:58:25 [INFO] signed certificate with serial number 267055182799407713312172136708586130721128410514

Start the multirootca server:

/usr/local/bin/multirootca \
    -a 0.0.0.0:8888 \
    -l default \
    -roots multiroot-profile.ini \
    -tls-cert server.pem \
    -tls-key server-key.pem

2019/04/06 12:26:48 [INFO] loaded signer default
2019/04/06 12:26:48 [INFO] Now listening on https:// 0.0.0.0:8888

Request a client leaf certificate from multirootca:

$ cfssl gencert -config=request-profile.json -hostname=127.0.0.1 -tls-remote-ca server.pem -profile=default client-requester-csr.json | cfssljson -bare client-requester

2019/04/06 12:03:57 [INFO] generate received request
2019/04/06 12:03:57 [INFO] received CSR
2019/04/06 12:03:57 [INFO] generating key: rsa-2048
2019/04/06 12:03:58 [INFO] encoded CSR
2019/04/06 12:03:58 [INFO] Using trusted CA from tls-remote-ca: server.pem

Observe certificate contents:

openssl x509 -in root-ca.pem -text -noout
openssl x509 -in intermediary-ca.pem -text -noout
openssl x509 -in server.pem -text -noout
openssl x509 -in client-requester.pem -text -noout

About

Simple PKI Example with cfssl, cfssljson, and multirootca inspired by

www.mikenewswanger.com/posts/2018/kubernetes-pki/

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published