cfssl 与 openssl 相比起来,创建证书的流程相当简单。
配置环境
安装 cfssl 和 cfssljson
go get github.com/cloudflare/cfssl/cmd/cfssl
go get github.com/cloudflare/cfssl/cmd/cfssljson
cfssl 完成大部分工作,它的输出格式为 json, cfssljson的作用是将 cfssl 输出的 json 拆分为一个个单独的文件。
CA的签名配置 config.json
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"intermediate": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"cert sign",
"crl sign"
],
"ca_constraint": {
"is_ca": true,
"max_path_len":1
}
},
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"cert sign",
"crl sign"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth",
"email protection"
]
}
}
}
}
创建根证书
根证书配置 rootCA.csr.json
{
"CN": "Root CA",
"key": {
"algo": "ecdsa",
"size": 256
},
"ca": {
"expiry": "262800h",
"pathlen": 2
},
"names": [
{
"C": "US",
"L": "San Francisco",
"OU": "Dropsonde Certificate Authority",
"ST": "California"
}
]
}
创建自签名证书
mkdir rootCA
cfssl genkey -initca rootCA.csr.json |cfssljson -bare rootCA/rootCA
cfssljson 会直接创建出来三个文件 rootCA.csr
, rootCA.pem
, rootCA-key.pem
,分别是CSR, 私钥和(完成自签名的)证书。
:::info
这里用了ecdsa算法,而不是RSA算法,使用 OpenSSL 查看会发现是 Signature Algorithm: ecdsa-with-SHA256
。而OpenSSL篇用的是 RSA 算法,显示为 Signature Algorithm: sha256WithRSAEncryption
:::
创建中间CA证书
中间CA的CSR intermediateCA.csr.json
{
"CN": "Intermediate CA",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "San Francisco",
"OU": "Dropsonde Certificate Authority",
"ST": "California"
}
]
}
创建中间CA私钥,CSR和证书。注意此处需要引用根CA的私钥,公钥和config.json
配置文件。
mkdir intermediateCA
cfssl gencert -ca=rootCA/rootCA.pem \
-ca-key=rootCA/rootCA-key.pem \
-config=config.json \
-profile=intermediate intermediateCA.csr.json | cfssljson -bare intermediateCA/intermediateCA
创建server证书
server证书的配置文件 server.csr.json
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
创建server证书,引用 intermediateCA 的公钥和私钥签名
mkdir server
cfssl gencert -ca=intermediateCA/intermediateCA.pem -ca-key=intermediateCA/intermediateCA-key.pem -config=config.json -profile=server server.csr.json |cfssljson -bare server/server
验证该证书
cat rootCA/rootCA.pem intermediateCA/intermediateCA.pem > chainCA.pem
openssl verify -CAfile chainCA.pem server/server.pem
创建用户证书
用户CSR配置文件user.csr.json
{
"CN": "user1",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
创建user证书
mkdir user1
cfssl gencert -ca=server/server.pem \
-ca-key=server/server-key.pem \
-config=config.json \
-profile=client user1.csr.json | cfssljson -bare user1/user1
验证该证书
cat rootCA/rootCA.pem intermediateCA/intermediateCA.pem server/server.pem > chain.pem
openssl verify -CAfile chain.pem server/server.pem
:::warning
OpenSSL verify 只支持 CAfile
CA Chain, 不支持验证的证书 chain。但是部署时你应使用证书chain。
:::
参考文献
[1]: cfssl的官方博客 https://blog.cloudflare.com/introducing-cfssl/
[2]: cfssl的源码文档 https://github.com/cloudflare/cfssl/blob/master/doc/README.txt
[3]: 一个gist教你如何创建intermediate CA证书 https://gist.github.com/jdeathe/7f7bb957a4e8e0304f0df070f3cbcbee
[4]: 教你如何用 cfssl 做证书 https://propellered.com/posts/cfssl_setting_up/