Creating you own CA · Virtual Infra . OnLine

Creating and maintening your own certificates

There are hundreds of tutorial on how to create a public certificate (usually let’s encrypt) with private IPs but why do that when you can create your own CA with two simple commands

Before continuing I have to say, we can do exactly the same with openssl command, this tool just make everything way easier

1. Installing tools

What is Cfssl

CFSSL is CloudFlare’s PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates. It requires Go 1.16+ to build.

For now we’re just going to use the binary to create both a CA and a certificate using the command line, our course we can have this running in a cointainer responding API calls

Cfssl

Depending on your favorite linux distro

dnf install cfssl
apt install cfssl

2. Setup the environment

Initialize a certificate authority

mkdir -p ~/cfssl/{ca,certs} && cd ~/cfssl
cfssl print-defaults config > ca/ca-config.json
cfssl print-defaults csr > ca/ca-csr.json

You have to tune any setting on your CA like expring times, create diferent profiles, etc

Please review both json files under the ca folder before proceed

Be nice with the expire setting on your CA (at least 5 years)

It’s always recomended to use a passphrase for your CA key file, needed later for creating new certificates

3. Generate a CA

cd ~/cfssl/ca
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

You’ll get following files

ca-key.pem
ca.csr
ca.pem

That’s it you can now distribute your new CA (ca.pem) just install it on any device as certificate

Never distribute the ca-key.pem file, that one is used to sign any new certificate you create

4. Generate server certificate

Create a certificate request and edit Json file according to your data

cfssl print-defaults csr > server.json

5. Sign the certificate request and return it

run command to create the certs using profile www

cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca/ca-config.json -profile=www certs/server.json | cfssljson -bare server

You’ll get following files

You can distribute these files to any webserver or system you need

server-key.pem
server.csr
server.pem

note: Certs must be 19800h or less to be valid in safari https://support.apple.com/en-us/HT210176

6. Verify data CA or Cert

openssl x509 -in ca.pem -text -noout
openssl x509 -in server.pem -text -noout
openssl x509 -in client.pem -text -noout

Reference Links

https://github.com/cloudflare/cfssl