Use CloudFlare CFSSL to build a dedicated PKI/TLS CA for certificate management

The
You can support us by downloading this article in PDF format via the link below.

Download the guide in PDF format

turn off
The

The
The

CloudFlare’s PKI/TLS toolkit

Adapted from CFSSL GitHub page , CFSSL is CloudFlare’s open source PKI/TLS Swiss Army Knife. It is both a command-line tool and an HTTP API server for signing, verifying and bundling TLS certificates. It is unethical to bundle the right bundle together. If the operation is incorrect, it will soon become a nightmare for debugging. CloudFlare wrote CFSSL to make bundling easier. By choosing the correct certificate chain, CFSSL solves the balance between performance, security, and compatibility.

CFSSL Public key infrastructure Not only is it a tool for bundling certificates, but it can also be used as a CA. This is possible because it covers the basic functions of certificate creation, including creating private keys, constructing certificate signing requests and signing certificates.

Brief description of SSL certificate and TLS

As we all know, the Internet is a very insecure place, and every URL you click or every site you visit may not guarantee that it is the product it sells. Due to the nature of insecure websites in the large-scale World Wide Web, SSL certificates have begun to work to alleviate some of these security risks. The SSL certificate binds the domain name to the server name and the company name to the location, thereby forming the core of trust on the Web by ensuring the identity of the website. In other words, the certificate contains the server name, a trusted certificate authority (CA) that proves the authenticity of the certificate, and the server’s public encryption key.

If you are running a company and want to provide services online, the only way people can verify the identity of your domain name is through an SSL certificate, which will be issued by a trusted certificate authority (such as GlobalSign and DigiCert). SSL certificates work in conjunction with Transport Layer Security (TLS). Without an SSL certificate, you cannot use TLS to encrypt website traffic. TLS ensures that the connection between the client (browser) and the server (such as your web server) is:

  • Private (or secure) because symmetric encryption is used to encrypt the transmitted data
  • Reliable, because every transmitted message contains a message integrity check to prevent undetected loss or data changes during transmission
  • As we all know, because the server usually provides identification from its SSL certificate (including the server name, trusted certificate authority (CA) and the server’s public encryption key).

It should be known that anyone can create a certificate (self-signed certificate), but the browser only trusts certificates from organizations in its list of trusted CAs. A certificate authority or certificate authority (CA) is an entity that has undergone rigorous security audits and is therefore allowed to issue trusted digital certificates, which in turn confirm that the website owner is what they say is their true identity. The certificate issued by the CA to itself is called a trusted root certificate because it aims to establish the ultimate point of trust for the CA hierarchy.

In most cases, certificates are not issued directly from the root CA, but from intermediate CAs. The intermediate CA certificate is a subordinate certificate issued by a trusted root, and is specifically used to issue end entity server certificates. The result is a chain of trust that starts from the trusted root CA, ends at the middle, and ends with the SSL certificate issued to you. The use of intermediate certificates therefore provides a higher level of security because the CA does not need to issue certificates directly from the CA root certificate. Resources: Digicert KB .

Now that we are good with SSL certificates, TLS and certificate authorities, it is a good time to explore the CFSSL tool we have.

CFSSL includes:

  • A set of software packages for building custom TLS PKI tools
  • The cfssl program, which is a canonical command-line utility that uses the CFSSL software package.
  • The multirootca program, which is a certificate authority server that can use multiple signing keys.
  • The mkbundle program is used to build a certificate pool bundle.
  • The cfssljson program, which takes JSON output from the cfssl and multirootca programs and writes the certificate, key, CSR, and bundle to disk.

Install CFSSL on Linux

During this installation, I used Ubuntu 20.04. If you want to build cfssl and other tools (mkbundle, cfssljson, multirootca) from source code, you need an effective Go 1.12+ installation.

Install Go

First, prepare the server. I am updating and installing gcc on Ubuntu 20.04 as shown below.

                      
                        sudo apt update
                      
                    

Install required packages

                      
                        sudo apt install build-essential
                      
                    

The above command will install new packages including gcc, g++ and make.

To install Go in CentOS , Ubuntu and Linux Mint, please click the link below and then continue to install cfssl.

Install Go (Golang) on ​​Ubuntu/CentOS

The following commands will download, build and install all utilities (including cfssl, cfssljson and mkbundle, etc.).

                      
                        go get -u github.com/cloudflare/cfssl/cmd/...
                      
                    

The binary package will be available in your Go home directory:

                      
                        $ ls ~/go/bin/
cfssl  cfssl-bundle  cfssl-certinfo  cfssljson  cfssl-newkey  cfssl-scan  mkbundle  multirootca
                      
                    

Please note that if you only need to install cfssl separately, you only need to run

                      
                        go get -u github.com/cloudflare/cfssl/cmd/cfssl
                      
                    

How to use CFSSL

Now that cfssl is installed, we can continue to use it in our environment.

Initialize Certificate Authority (CA)

We will initialize a root CA for our environment. First, we must save the default cfssl options for future use and replacement.

                      
                        mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
                      
                    

Edit the generated file to suit your environment

                      
                        $ vim ca-csr.json

{
    "CN": "Computingforgeeks CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "KE",
            "ST": "NB",
            "L": "Kenya",
            "O": "Computingforgeeks",
            "OU": "IT"
        }
    ]
}
                      
                    

I intend to create an intermediate certificate, and therefore add it to the configuration file in the configuration file. In the following steps, we will use the certificate in the following steps to create the corresponding configuration file. You will notice that the intermediate_ca configuration file has functions (usage) such as signing, client authentication, server authentication, certificate signing, key encryption, etc. This has a good effect on our intermediate CA.

                      
                        $ vim ca-config.json

{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "intermediate_ca": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment",
            "cert sign",
            "crl sign",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h",
        "ca_constraint": {
            "is_ca": true,
            "max_path_len": 0, 
            "max_path_len_zero": true
        }
      },
      "peer": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment", 
            "client auth",
            "server auth"
        ],
        "expiry": "8760h"
      },
      "server": {
        "usages": [
          "signing",
          "digital signing",
          "key encipherment",
          "server auth"
        ],
        "expiry": "8760h"
      },
      "client": {
        "usages": [
          "signing",
          "digital signature",
          "key encipherment", 
          "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
                      
                    

Generate CA with specified options

                      
                        $ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

 [INFO] generating a new CA key and certificate from CSR
 [INFO] generate received request
 [INFO] received CSR
 [INFO] generating key: rsa-2048
 [INFO] encoded CSR
 [INFO] signed certificate with serial number 575514558967771581279537545623874943296973655847
                      
                    

The following files will be generated in the directory where you run the command. It consists of the root CA public key (ca.pem), private key (ca-key.pem) and certificate signing request (ca.csr). You should keep the private key as secure as possible.

  • ca-key.pem
  • casr
  • calcium

Now we have the most important root CA. The root CA will allow us to generate intermediate certificates. Just like a CA, you can use intermediate certificates to generate other intermediate certificates or directly sign certificates and keys.

We will create an intermediate CA. First, let’s create a new directory containing intermediate files:

                      
                        $ mkdir ~/cfssl/intermediate && cd ~/cfssl/intermediate
$ nano intermediate.json

{
  "CN": "Computingforgeeks Servers Intermediate CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C":  "KE",
      "L":  "Nairobi",
      "O":  "Geeks Servers",
      "OU": "Servers Intermediate CA",
      "ST": "Kileleshwa"
    }
  ],
  "ca": {
    "expiry": "42720h"
  }
}
                      
                    

After creating the configuration file, let’s create the intermediate public and private keys and the intermediate signature request.

                      
                        $ cfssl gencert -initca intermediate.json | cfssljson -bare intermediate_ca

 [INFO] generating a new CA key and certificate from CSR
 [INFO] generate received request
 [INFO] received CSR
 [INFO] generating key: rsa-2048
 [INFO] encoded CSR
 [INFO] signed certificate with serial number 49317059847143524717036065772346603828701272228


$ cfssl sign -ca ~/cfssl/ca.pem 
  -ca-key ~/cfssl/ca-key.pem 
  -config ~/cfssl/ca-config.json 
  -profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca

 [INFO] signed certificate with serial number 557857085402097518963872901169945507335721839653
                      
                    

You will notice that we are using the ca-config.json file we created earlier, which contains the corresponding configuration files, such as middle_ca, peer, server and client. Also, please note that we are using the middle_ca configuration file here. In addition, we also use the root public and private keys to sign our intermediate private and public keys. After that, our intermediate CA and key will be available. At this time, you can encrypt and hide the root CA private key in a very secure location.

Use cases for certificates

Let us assume that you want to obtain a domain name for your web server, such as computinggooglesyndication.com. The first thing you should do is generate a certificate signing request (CSR) for the server, similar to that shown in the JSON below.

                      
                        $ nano geekscsr.json

{
  "CN": "server.computinggooglesyndication.com",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
  {
    "C": "KE",
    "L": "Nairobi",
    "O": "IT Servers",
    "OU": "Computing Webserver1",
    "ST": "Kileleshwa"
  }
  ],
  "hosts": [
    "server1.computinggooglesyndication.com",
    "localhost"
  ]
}
                      
                    

To use the above configuration to generate a server certificate, simply do the following:

                      
                        $ cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config ~/cfssl/ca-config.json -profile=server geekscsr.json | cfssljson -bare web-server1

 [INFO] generate received request
 [INFO] received CSR
 [INFO] generating key: rsa-2048 
 [INFO] encoded CSR
 [INFO] signed certificate with serial number 548472281222429688545698573045498525083615863345
                      
                    

Make sure the intermediate_ca.pem geekscsr.json and intermediate_ca-key.pem files are in the directory where the command is run.

The above command will produce the following certificate file:

  • Web server 1.csr
  • web-server1-key.pem
  • Web server 1.pem

Bundled certificate

mkbundle is used to build root packages and intermediate packages for verifying certificates. It basically links the final certificate with the public key of the intermediate CA and the root CA. If you decide not to install everything at the beginning, you can install mkbundle using the following method:

                      
                        go get -u github.com/cloudflare/cfssl/cmd/mkbundle
                      
                    

It collects certificates, checks for CRL revocation (planned to provide OCSP support in the next release) and expired certificates, and bundles them into a file. It contains a directory of certificates and certificate files (may contain multiple certificates). For example, if there are many intermediate certificates in the middle of the directory, run:

                      
                        mkbundle -f bundle.crt intermediates
                      
                    

In order to bundle our certificates, please make sure that the root CA public key (ca.pem) and the intermediate public key are in the same directory. All of my will be copied into the intermediate directory. Let us follow the above convention to bundle the generated certificate.

                      
                        ##Copy Root CA Public and Intermediate CA public keys into the intermediate directory
$ cp ~/cfssl/ca.pem ~/cfssl/intermediate
$ cd ~/cfssl
$ mkbundle -f web-server1.crt intermediate

 [INFO] Found intermediate
 [INFO] Found intermediate/ca.pem
 [INFO] Loading intermediate/ca.pem
 [INFO] Validating CN=Computingforgeeks CA,OU=IT,O=Computingforgeeks,L=Kenya,ST=NB,C=KE
 [INFO] Found intermediate/intermediate_ca-key.pem
 [INFO] Loading intermediate/intermediate.json
 Loading intermediate/intermediate_ca-key.pem
 Skipping non-certificate
 [INFO] Found intermediate/intermediate_ca.csr
 [INFO] Found intermediate/intermediate_ca.pem
 [INFO] Loading intermediate/intermediate_ca.csr
 [INFO] Skipping non-certificate
 [INFO] Loading intermediate/intermediate_ca.pem
 [INFO] Validating CN=Computingforgeeks Servers Intermediate CA,OU=Servers Intermediate CA,O=Geeks Servers,L=Nairobi,ST=Kileleshwa,C=KE
 [INFO] Found intermediate/web-server1-key.pem
 [INFO] Found intermediate/web-server1.csr
 [INFO] Found intermediate/web-server1.pem
 [INFO] Loading intermediate/web-server1-key.pem
 [INFO] Skipping non-certificate
 [INFO] Loading intermediate/web-server1.csr
 [INFO] Skipping non-certificate
 [INFO] Loading intermediate/web-server1.pem
 [INFO] Validating CN=server.computinggooglesyndication.com,OU=Computing Webserver1,O=IT Servers,L=Nairobi,ST=Kileleshwa,C=KE
 [INFO] Wrote 3 certificates.
                      
                    

The above command will generate the web-server1.crt file in the directory where we are currently located. Now, we can copy and bundle the certificate into the known certificate directory in the server.

                      
                        cd ~/cfssl/
sudo cp web-server1.crt /etc/ssl/certs/
cd ~/cfssl/intermediate
sudo cp web-server1-key.pem web-server1.pem /etc/ssl/certs/
                      
                    

Test our certificate

To test the generated certificate, let’s install Apache and add the certificate path to its configuration file.

                      
                        sudo apt install apache2

##Enable ssl

sudo a2enmod ssl
                      
                    

Configure our server with SSL certificate

Create a configuration file.

                      
                        $ sudo vim /etc/apache2/sites-enabled/server1_computingexample_com.conf


                        
            
            
            
            
            
                          
             
             
             
             
             
              
              
              
              
              
                            
                ServerAdmin [email protected]
                ServerName server1.computinggooglesyndication.com

                DocumentRoot /var/www/html
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on

                ## HERE ARE OUR GENERATED CERTS!!
                SSLCertificateFile      /etc/ssl/certs/web-server1.pem  
                SSLCertificateKeyFile /etc/ssl/certs/web-server1-key.pem
                SSLCertificateChainFile /etc/ssl/certs/web-server1.crt
                
                            
              
              
              
              
              
               
               
               
               
               
                              
                                SSLOptions +StdEnvVars
                
                            
              
              
              
              
              
                            
              
              
              
              
              
               
               
               
               
               
                              
                                SSLOptions +StdEnvVars
                
                            
              
              
              
              
              
                          
             
             
             
             
             
                        
            
            
            
            
            
                      
                    

Add sample index.html file in DocumentRoot/var/www/html/

                      
                        cd /var/www/html/
sudo vim index.html



  
    
                        
            
            
            
            
            
                        
            
            
            
            
            
                        
            
            
            
            
            
                        
            
            
            
            
            
                        


                          Test SSL
                        
                        
            
            
            
            
            

Our Test Page has Loaded

Restart Apache and check if the page is loaded using https protocol

                      
                        sudo systemctl restart apache2
                      
                    

Visit our web server

If you have DNS, you can map FQDN to IP and use its domain name to load it directly from the browser. For me, I will load it using an IP with https protocol

                      
                        https://IP/
                      
                    

As you can confirm from the screenshot above, the issuer of the certificate is the intermediate CA we configured earlier in this tutorial, and the root CA is the first certificate we created. In order to make the root CA certificate trusted in your environment, you can add it to the “trusted key” in Windows or any platform used.

The best course to learn security:


Information security awareness-ISO 27001: 2013-COVID19 update

Information security awareness-ISO 27001: 2013-COVID19 update

★★★★☆
(11741)

$ 15.71

$ 84.17

In stock

Buy now

Udemy.com


Complete cybersecurity course: hackers exposed!

Complete cybersecurity course: hackers exposed!

★★★★☆
(28305)

$ 21.33

$ 134.68

In stock

Buy now

Udemy.com


Learn moral hacking from scratch

Learn moral hacking from scratch

★★★★★
(76828)

$ 19.08

$ 218.86

In stock

Buy now

Udemy.com

in conclusion

There, our PKI using CFSSL works well. You can modify it and use it to set up a complete PKI, especially when in a Kubernetes cluster. Otherwise, even if you continue to stay safe, please take care.

Other interesting guides:

Use Podman to set up Docker container registry and encrypt SSL

Let’s encrypt SSL certificate install Mastodon on Ubuntu 20.04/18.04

How to install SSL certificate on IIS web server

How to use OpenSSL to check SSL certificate expiration

The
You can support us by downloading this article in PDF format via the link below.

Download the guide in PDF format

turn off
The

The
The

Related Posts