:::warning 本文重度参考 [1] ::: 上一篇文章我们讨论了如何用openssl搭起OCSP解决方案。现在我们看看如何用 cfssl 搭方案。
cfssl 官方的 certdb 中给了一个指南,可以用 goose 运行数据库迁移脚本(主要是建表)。https://github.com/cloudflare/cfssl/tree/master/certdb#use-goose-to-start-and-terminate-a-sqlite-db
表结构大致如下

  1. CREATE TABLE certificates (
  2.   serial_number            blob NOT NULL,
  3.   authority_key_identifier blob NOT NULL,
  4.   ca_label                 blob,
  5.   status                   blob NOT NULL,
  6.   reason                   int,
  7.   expiry                   timestamp,
  8.   revoked_at               timestamp,
  9.   pem                      blob NOT NULL,
  10.   PRIMARY KEY(serial_number, authority_key_identifier)
  11. );
  13. CREATE TABLE ocsp_responses (
  14.   serial_number            blob NOT NULL,
  15.   authority_key_identifier blob NOT NULL,
  16.   body                     blob NOT NULL,
  17.   expiry                   timestamp,
  18.   PRIMARY KEY(serial_number, authority_key_identifier),
  19.   FOREIGN KEY(serial_number, authority_key_identifier) REFERENCES certificates(serial_number, authority_key_identifier)
  20. );

修改一下 config.json。主要是改动了default 配置, 添加了 auth_key 用来保护私钥, ocsp profile。

{
  "signing": {
    "default": {
      "auth_key": "key1",
      "ocsp_url": "http://cfssl.lan.amos:8889",
      "crl_url": "http://cfssl.lan.amos:8888/crl",
      "expiry": "26280h"
    },
    "profiles": {
      "intermediate": {
        "auth_key": "key1",
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "cert sign",
          "crl sign"
        ],
        "ca_constraint": {
          "is_ca": true,
          "max_path_len": 1
        }
      },
      "ocsp": {
        "auth_key": "key1",
        "usages": [
          "digital signature",
          "ocsp signing"
        ],
        "expiry": "26280h"
      },
      "serverCA": {
        "auth_key": "key1",
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "cert sign",
          "crl sign"
        ]
      },
      "server": {
        "auth_key": "key1",
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": {
        "auth_key": "key1",
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth",
          "email protection"
        ]
      }
    }
  },
  "auth_keys": {
    "key1": {
      "key": "<16 byte hex private key>",
      "type": "standard"
    }
  }
}

OCSP密钥对

配置文件 ocsp.csr.json

{
  "CN": "OCSP signer",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C": "US",
      "ST": "CA",
      "L": "San Francisco"
    }
  ]
}

sqlite_db.json

{
  "driver":"sqlite3",
  "data_source":"certdb.db"
}

生成密钥对

cfssl gencert -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -profile="ocsp" ocsp.csr.json |cfssljson -bare ocsp/ocsp

OCSP Responder

cfssl serve -db-config=sqlite_db.json -ca=server/server.pem -ca-key=server/server-key.pem -config=config.json -responder=ocsp/ocsp.pem -responder-key=ocsp/ocsp-key.pem

参考文献

[1]: https://propellered.com/posts/cfssl_setting_up_ocsp_api/
[2]: https://github.com/cloudflare/cfssl/tree/master/certdb#use-goose-to-start-and-terminate-a-sqlite-db