:::warning
本文重度参考 [1]
:::
上一篇文章我们讨论了如何用openssl搭起OCSP解决方案。现在我们看看如何用 cfssl 搭方案。
cfssl 官方的 certdb 中给了一个指南,可以用 goose 运行数据库迁移脚本(主要是建表)。https://github.com/cloudflare/cfssl/tree/master/certdb#use-goose-to-start-and-terminate-a-sqlite-db
表结构大致如下
CREATE TABLE certificates (
serial_number blob NOT NULL,
authority_key_identifier blob NOT NULL,
ca_label blob,
status blob NOT NULL,
reason int,
expiry timestamp,
revoked_at timestamp,
pem blob NOT NULL,
PRIMARY KEY(serial_number, authority_key_identifier)
);
CREATE TABLE ocsp_responses (
serial_number blob NOT NULL,
authority_key_identifier blob NOT NULL,
body blob NOT NULL,
expiry timestamp,
PRIMARY KEY(serial_number, authority_key_identifier),
FOREIGN KEY(serial_number, authority_key_identifier) REFERENCES certificates(serial_number, authority_key_identifier)
);
修改一下 config.json
。主要是改动了default
配置, 添加了 auth_key
用来保护私钥, ocsp
profile。
{
"signing": {
"default": {
"auth_key": "key1",
"ocsp_url": "http://cfssl.lan.amos:8889",
"crl_url": "http://cfssl.lan.amos:8888/crl",
"expiry": "26280h"
},
"profiles": {
"intermediate": {
"auth_key": "key1",
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"cert sign",
"crl sign"
],
"ca_constraint": {
"is_ca": true,
"max_path_len": 1
}
},
"ocsp": {
"auth_key": "key1",
"usages": [
"digital signature",
"ocsp signing"
],
"expiry": "26280h"
},
"serverCA": {
"auth_key": "key1",
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"cert sign",
"crl sign"
]
},
"server": {
"auth_key": "key1",
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"auth_key": "key1",
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth",
"email protection"
]
}
}
},
"auth_keys": {
"key1": {
"key": "<16 byte hex private key>",
"type": "standard"
}
}
}
OCSP密钥对
配置文件 ocsp.csr.json
{
"CN": "OCSP signer",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
sqlite_db.json
{
"driver":"sqlite3",
"data_source":"certdb.db"
}
生成密钥对
cfssl gencert -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp
OCSP Responder
cfssl serve -db-config=sqlite_db.json -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -responder=ocsp/ocsp.pem -responder-key=ocsp/ocsp-key.pem
参考文献
[1]: https://propellered.com/posts/cfssl_setting_up_ocsp_api/
[2]: https://github.com/cloudflare/cfssl/tree/master/certdb#use-goose-to-start-and-terminate-a-sqlite-db