In this tutorial, we will walk you through the process of setting up a Certificate Authority (CA) hierarchy using CFSSL (CloudFlare's PKI and TLS toolkit). A CA hierarchy is essential for secure communication on the web, as it allows you to issue and manage digital certificates for various purposes. In this example, we'll create a root CA, an intermediate CA, and a server certificate for a website.
Step 1: Create Directories
Let's start by creating the necessary directory structure:
mkdir root intermediate server cd root
Step 2: Configure the Root CA
Edit the ca_csr.json file for the Root CA with the following content:
vim ca_csr.json
{
"CN": "Example CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "AM",
"L": "Yerevan",
"O": "Thalamus",
"OU": "IT",
"ST": "Yerevan"
}
]
}
Step 3: Configure the Root CA
Create the ca-config.json file for the Root CA:
vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate_ca": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
"server auth",
"client auth"
],
"expiry": "8760h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
}
},
"peer": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth",
"server auth"
],
"expiry": "8760h"
},
"server": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
],
"expiry": "8760h"
}
}
}
}
Step 4: Generate the Root CA Certificate
Generate the Root CA certificate and key:
cfssl gencert -initca ca_csr.json | cfssljson -bare ca -
Step 5: Configure the Intermediate CA
Move to the intermediate directory and create the intermediate.json file:
cd ../intermediate/ vim intermediate.json
{
"CN": "Example Intermediate CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "AM",
"L": "Yerevan",
"O": "Thalamus",
"OU": "IT",
"ST": "Yerevan"
}
],
"ca": {
"expiry": "42720h"
}
}
Step 6: Generate the Intermediate CA Certificate
Generate the Intermediate CA certificate and key:
cfssl gencert -initca intermediate.json | cfssljson -bare intermediate_ca
cfssl sign -ca ../root/ca.pem -ca-key ../root/ca-key.pem -config ../root/ca-config.json -profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca
Step 7: Configure the Server Certificate
Navigate to the server directory and create the example.json file for the server certificate:
cd server/ vim example.json
{
"CN": "example.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "AM",
"L": "Yerevan",
"O": "Thalamus",
"OU": "IT",
"ST": "Yerevan"
}
],
"hosts": [
"example.com"
]
}
Step 8: Generate the Server Certificate
Generate the server certificate:
cfssl gencert -ca ../intermediate/intermediate_ca.pem -ca-key ../intermediate/intermediate_ca-key.pem -config ../root/ca-config.json -profile=server example.json | cfssljson -bare example
Step 9: Install the Root CA Certificate
Install the Root CA certificate system-wide:
sudo cp ca.pem /usr/local/share/ca-certificates/example.crt sudo update-ca-certificates --fresh
You have now successfully set up a CA hierarchy with CFSSL, allowing you to issue and manage certificates for secure communication.
The server certificate for example.com is ready for use. Make sure to replace the domain and other details as needed for your specific use case.