The
You can support us by downloading this article in PDF format via the link below.
Download the guide in PDF format
turn off
The
The
The
CloudFlare’s PKI/TLS toolkit
Adapted from CFSSL GitHub page , CFSSL is CloudFlare’s open source PKI/TLS Swiss Army Knife. It is both a command-line tool and an HTTP API server for signing, verifying and bundling TLS certificates. It is unethical to bundle the right bundle together. If the operation is incorrect, it will soon become a nightmare for debugging. CloudFlare wrote CFSSL to make bundling easier. By choosing the correct certificate chain, CFSSL solves the balance between performance, security, and compatibility.
CFSSL Public key infrastructure Not only is it a tool for bundling certificates, but it can also be used as a CA. This is possible because it covers the basic functions of certificate creation, including creating private keys, constructing certificate signing requests and signing certificates.
Brief description of SSL certificate and TLS
As we all know, the Internet is a very insecure place, and every URL you click or every site you visit may not guarantee that it is the product it sells. Due to the nature of insecure websites in the large-scale World Wide Web, SSL certificates have begun to work to alleviate some of these security risks. The SSL certificate binds the domain name to the server name and the company name to the location, thereby forming the core of trust on the Web by ensuring the identity of the website. In other words, the certificate contains the server name, a trusted certificate authority (CA) that proves the authenticity of the certificate, and the server’s public encryption key.
If you are running a company and want to provide services online, the only way people can verify the identity of your domain name is through an SSL certificate, which will be issued by a trusted certificate authority (such as GlobalSign and DigiCert). SSL certificates work in conjunction with Transport Layer Security (TLS). Without an SSL certificate, you cannot use TLS to encrypt website traffic. TLS ensures that the connection between the client (browser) and the server (such as your web server) is:
- Private (or secure) because symmetric encryption is used to encrypt the transmitted data
- Reliable, because every transmitted message contains a message integrity check to prevent undetected loss or data changes during transmission
- As we all know, because the server usually provides identification from its SSL certificate (including the server name, trusted certificate authority (CA) and the server’s public encryption key).
It should be known that anyone can create a certificate (self-signed certificate), but the browser only trusts certificates from organizations in its list of trusted CAs. A certificate authority or certificate authority (CA) is an entity that has undergone rigorous security audits and is therefore allowed to issue trusted digital certificates, which in turn confirm that the website owner is what they say is their true identity. The certificate issued by the CA to itself is called a trusted root certificate because it aims to establish the ultimate point of trust for the CA hierarchy.
In most cases, certificates are not issued directly from the root CA, but from intermediate CAs. The intermediate CA certificate is a subordinate certificate issued by a trusted root, and is specifically used to issue end entity server certificates. The result is a chain of trust that starts from the trusted root CA, ends at the middle, and ends with the SSL certificate issued to you. The use of intermediate certificates therefore provides a higher level of security because the CA does not need to issue certificates directly from the CA root certificate. Resources: Digicert KB .
Now that we are good with SSL certificates, TLS and certificate authorities, it is a good time to explore the CFSSL tool we have.
CFSSL includes:
- A set of software packages for building custom TLS PKI tools
- The cfssl program, which is a canonical command-line utility that uses the CFSSL software package.
- The multirootca program, which is a certificate authority server that can use multiple signing keys.
- The mkbundle program is used to build a certificate pool bundle.
- The cfssljson program, which takes JSON output from the cfssl and multirootca programs and writes the certificate, key, CSR, and bundle to disk.
Install CFSSL on Linux
During this installation, I used Ubuntu 20.04. If you want to build cfssl and other tools (mkbundle, cfssljson, multirootca) from source code, you need an effective Go 1.12+ installation.
Install Go
First, prepare the server. I am updating and installing gcc on Ubuntu 20.04 as shown below.
sudo apt update
Install required packages
sudo apt install build-essential
The above command will install new packages including gcc, g++ and make.
To install Go in CentOS , Ubuntu and Linux Mint, please click the link below and then continue to install cfssl.
Install Go (Golang) on Ubuntu/CentOS
The following commands will download, build and install all utilities (including cfssl, cfssljson and mkbundle, etc.).
go get -u github.com/cloudflare/cfssl/cmd/...
The binary package will be available in your Go home directory:
$ ls ~/go/bin/
cfssl cfssl-bundle cfssl-certinfo cfssljson cfssl-newkey cfssl-scan mkbundle multirootca
Please note that if you only need to install cfssl separately, you only need to run
go get -u github.com/cloudflare/cfssl/cmd/cfssl
How to use CFSSL
Now that cfssl is installed, we can continue to use it in our environment.
Initialize Certificate Authority (CA)
We will initialize a root CA for our environment. First, we must save the default cfssl options for future use and replacement.
mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
Edit the generated file to suit your environment
$ vim ca-csr.json
{
"CN": "Computingforgeeks CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "KE",
"ST": "NB",
"L": "Kenya",
"O": "Computingforgeeks",
"OU": "IT"
}
]
}
I intend to create an intermediate certificate, and therefore add it to the configuration file in the configuration file. In the following steps, we will use the certificate in the following steps to create the corresponding configuration file. You will notice that the intermediate_ca configuration file has functions (usage) such as signing, client authentication, server authentication, certificate signing, key encryption, etc. This has a good effect on our intermediate CA.
$ vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"intermediate_ca": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign",
"server auth",
"client auth"
],
"expiry": "8760h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0,
"max_path_len_zero": true
}
},
"peer": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth",
"server auth"
],
"expiry": "8760h"
},
"server": {
"usages": [
"signing",
"digital signing",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"client": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"client auth"
],
"expiry": "8760h"
}
}
}
}
Generate CA with specified options
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
[INFO] generating a new CA key and certificate from CSR
[INFO] generate received request
[INFO] received CSR
[INFO] generating key: rsa-2048
[INFO] encoded CSR
[INFO] signed certificate with serial number 575514558967771581279537545623874943296973655847
The following files will be generated in the directory where you run the command. It consists of the root CA public key (ca.pem), private key (ca-key.pem) and certificate signing request (ca.csr). You should keep the private key as secure as possible.
- ca-key.pem
- casr
- calcium
Now we have the most important root CA. The root CA will allow us to generate intermediate certificates. Just like a CA, you can use intermediate certificates to generate other intermediate certificates or directly sign certificates and keys.
We will create an intermediate CA. First, let’s create a new directory containing intermediate files:
$ mkdir ~/cfssl/intermediate && cd ~/cfssl/intermediate
$ nano intermediate.json
{
"CN": "Computingforgeeks Servers Intermediate CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "KE",
"L": "Nairobi",
"O": "Geeks Servers",
"OU": "Servers Intermediate CA",
"ST": "Kileleshwa"
}
],
"ca": {
"expiry": "42720h"
}
}
After creating the configuration file, let’s create the intermediate public and private keys and the intermediate signature request.
$ cfssl gencert -initca intermediate.json | cfssljson -bare intermediate_ca
[INFO] generating a new CA key and certificate from CSR
[INFO] generate received request
[INFO] received CSR
[INFO] generating key: rsa-2048
[INFO] encoded CSR
[INFO] signed certificate with serial number 49317059847143524717036065772346603828701272228
$ cfssl sign -ca ~/cfssl/ca.pem
-ca-key ~/cfssl/ca-key.pem
-config ~/cfssl/ca-config.json
-profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca
[INFO] signed certificate with serial number 557857085402097518963872901169945507335721839653
You will notice that we are using the ca-config.json file we created earlier, which contains the corresponding configuration files, such as middle_ca, peer, server and client. Also, please note that we are using the middle_ca configuration file here. In addition, we also use the root public and private keys to sign our intermediate private and public keys. After that, our intermediate CA and key will be available. At this time, you can encrypt and hide the root CA private key in a very secure location.
Use cases for certificates
Let us assume that you want to obtain a domain name for your web server, such as computinggooglesyndication.com. The first thing you should do is generate a certificate signing request (CSR) for the server, similar to that shown in the JSON below.
$ nano geekscsr.json
{
"CN": "server.computinggooglesyndication.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "KE",
"L": "Nairobi",
"O": "IT Servers",
"OU": "Computing Webserver1",
"ST": "Kileleshwa"
}
],
"hosts": [
"server1.computinggooglesyndication.com",
"localhost"
]
}
To use the above configuration to generate a server certificate, simply do the following:
$ cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config ~/cfssl/ca-config.json -profile=server geekscsr.json | cfssljson -bare web-server1
[INFO] generate received request
[INFO] received CSR
[INFO] generating key: rsa-2048
[INFO] encoded CSR
[INFO] signed certificate with serial number 548472281222429688545698573045498525083615863345
Make sure the intermediate_ca.pem geekscsr.json and intermediate_ca-key.pem files are in the directory where the command is run.
The above command will produce the following certificate file:
- Web server 1.csr
- web-server1-key.pem
- Web server 1.pem
Bundled certificate
mkbundle is used to build root packages and intermediate packages for verifying certificates. It basically links the final certificate with the public key of the intermediate CA and the root CA. If you decide not to install everything at the beginning, you can install mkbundle using the following method:
go get -u github.com/cloudflare/cfssl/cmd/mkbundle
It collects certificates, checks for CRL revocation (planned to provide OCSP support in the next release) and expired certificates, and bundles them into a file. It contains a directory of certificates and certificate files (may contain multiple certificates). For example, if there are many intermediate certificates in the middle of the directory, run:
mkbundle -f bundle.crt intermediates
In order to bundle our certificates, please make sure that the root CA public key (ca.pem) and the intermediate public key are in the same directory. All of my will be copied into the intermediate directory. Let us follow the above convention to bundle the generated certificate.
##Copy Root CA Public and Intermediate CA public keys into the intermediate directory
$ cp ~/cfssl/ca.pem ~/cfssl/intermediate
$ cd ~/cfssl
$ mkbundle -f web-server1.crt intermediate
[INFO] Found intermediate
[INFO] Found intermediate/ca.pem
[INFO] Loading intermediate/ca.pem
[INFO] Validating CN=Computingforgeeks CA,OU=IT,O=Computingforgeeks,L=Kenya,ST=NB,C=KE
[INFO] Found intermediate/intermediate_ca-key.pem
[INFO] Loading intermediate/intermediate.json
Loading intermediate/intermediate_ca-key.pem
Skipping non-certificate
[INFO] Found intermediate/intermediate_ca.csr
[INFO] Found intermediate/intermediate_ca.pem
[INFO] Loading intermediate/intermediate_ca.csr
[INFO] Skipping non-certificate
[INFO] Loading intermediate/intermediate_ca.pem
[INFO] Validating CN=Computingforgeeks Servers Intermediate CA,OU=Servers Intermediate CA,O=Geeks Servers,L=Nairobi,ST=Kileleshwa,C=KE
[INFO] Found intermediate/web-server1-key.pem
[INFO] Found intermediate/web-server1.csr
[INFO] Found intermediate/web-server1.pem
[INFO] Loading intermediate/web-server1-key.pem
[INFO] Skipping non-certificate
[INFO] Loading intermediate/web-server1.csr
[INFO] Skipping non-certificate
[INFO] Loading intermediate/web-server1.pem
[INFO] Validating CN=server.computinggooglesyndication.com,OU=Computing Webserver1,O=IT Servers,L=Nairobi,ST=Kileleshwa,C=KE
[INFO] Wrote 3 certificates.
The above command will generate the web-server1.crt file in the directory where we are currently located. Now, we can copy and bundle the certificate into the known certificate directory in the server.
cd ~/cfssl/
sudo cp web-server1.crt /etc/ssl/certs/
cd ~/cfssl/intermediate
sudo cp web-server1-key.pem web-server1.pem /etc/ssl/certs/
Test our certificate
To test the generated certificate, let’s install Apache and add the certificate path to its configuration file.
sudo apt install apache2
##Enable ssl
sudo a2enmod ssl
Configure our server with SSL certificate
Create a configuration file.
$ sudo vim /etc/apache2/sites-enabled/server1_computingexample_com.conf
ServerAdmin [email protected]
ServerName server1.computinggooglesyndication.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
## HERE ARE OUR GENERATED CERTS!!
SSLCertificateFile /etc/ssl/certs/web-server1.pem
SSLCertificateKeyFile /etc/ssl/certs/web-server1-key.pem
SSLCertificateChainFile /etc/ssl/certs/web-server1.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
Add sample index.html file in DocumentRoot/var/www/html/
cd /var/www/html/
sudo vim index.html
Test SSL
Our Test Page has Loaded
Restart Apache and check if the page is loaded using https protocol
sudo systemctl restart apache2
Visit our web server
If you have DNS, you can map FQDN to IP and use its domain name to load it directly from the browser. For me, I will load it using an IP with https protocol
https://IP/
As you can confirm from the screenshot above, the issuer of the certificate is the intermediate CA we configured earlier in this tutorial, and the root CA is the first certificate we created. In order to make the root CA certificate trusted in your environment, you can add it to the “trusted key” in Windows or any platform used.
The best course to learn security:
Information security awareness-ISO 27001: 2013-COVID19 update
★★★★☆
(11741)
$ 15.71
$ 84.17
In stock
Udemy.com
Complete cybersecurity course: hackers exposed!
★★★★☆
(28305)
$ 21.33
$ 134.68
In stock
Udemy.com
Learn moral hacking from scratch
★★★★★
(76828)
$ 19.08
$ 218.86
In stock
Udemy.com
in conclusion
There, our PKI using CFSSL works well. You can modify it and use it to set up a complete PKI, especially when in a Kubernetes cluster. Otherwise, even if you continue to stay safe, please take care.
Other interesting guides:
Use Podman to set up Docker container registry and encrypt SSL
Let’s encrypt SSL certificate install Mastodon on Ubuntu 20.04/18.04
How to install SSL certificate on IIS web server
How to use OpenSSL to check SSL certificate expiration
The
You can support us by downloading this article in PDF format via the link below.
Download the guide in PDF format
turn off
The
The
The
