SSL certificate series tutorial: self-built CA self-signed certificate tutorial and practical demonstration (based on CFSSL open source tool)

Leave a Comment / / Sky | 苍穹の下
自建CA自签名证书教程与实战演示(基于CFSSL开源工具)

foreword

The domain names, organizations, and related politically sensitive content appearing in this article are all factors used to help understand memory in the temporary debugging and testing environment, and have nothing to do with reality. Do not use for false imitation and illegal use

The server certificate and CA generated in this way are not trusted by any public platform or large enterprises (such as Microsoft, Apple, Google), nor will they obtain domain name resolution rights, which may have a negative impact on your property and personal safety.

Yesterday, I renewed the old article in early 2021 https://www.blueskyxn.com/202101/3744.html and today another group of friends sent me a few new toys. I saw it, it was interesting, and it didn’t seem to be troublesome. , so let’s learn.

The toy used this time is https://github.com/cloudflare/cfssl which looks big enough.

process

Configure the environment->download the program->configure the CA configuration file->generate the CA related materials->configure the server certificate configuration file->generate the server certificate related materials->use (fine-tune the materials to obtain the required PEM, KEY and other files/configure trust ).

The environment is just Linux, I am Cent OS 7+ Pagoda panel SSH.

download

https://github.com/cloudflare/cfssl/releases Download all the binary files you want directly to any directory, I put them all in the /root/cfssl folder

You can download it manually, BT panel download, Wget download, etc., just throw it in, and don’t do any tiring commands to install, compile and install, how can it be so troublesome, in short, just move.

Remember to remove the version number from the file name. The main files are cfssl and cfssljson.

QQ%E5%9B%BE%E7%89%8720220829162552.png

Configure CA Profile

Adjust permissions first

 chmod +x cfssl*

If there is still an error, go to tune 777/775/755

Then generate the default configuration to

 ./cfssl print-defaults config > ca-config.json ./cfssl print-defaults csr > ca-csr.json

QQ%E5%9B%BE%E7%89%8720220829162916.png

QQ%E5%9B%BE%E7%89%8720220829162925.png

Then the default configuration reference is shown in the figure

QQ%E5%9B%BE%E7%89%8720220829162940.png

QQ%E5%9B%BE%E7%89%8720220829162947.png

Then you can fine-tune, test, learn, use according to your own situation. For example, the test configuration file is as follows

QQ%E5%9B%BE%E7%89%8720220829163724.png

QQ%E5%9B%BE%E7%89%8720220829164543.png

Please note that the O here will be used as the (pagoda panel) “certificate brand”, and the CN here will be used as the issuer

Generally speaking, RSA2048 can be used for encryption.

Remark entry information (ca-config)

  • kubernetes: Indicates that the purpose of this configuration (profile) is to generate certificates and related verification work for kubernetes
    • signing: Indicates that the certificate can be used to sign other certificates; CA=TRUE in the generated ca.pem certificate
    • server auth: Indicates that the CA can verify the certificate provided by the server
    • client auth: Indicates that the CA can be used to verify the certificate provided by the client
  • expiry: also indicates the expiration time, if not written, the default will prevail

Remark entry information (ca-csr)

  • CN: Common Name, the browser uses this field to verify whether the website is legal, usually the domain name is written. Very important.
  • key: the algorithm for generating the certificate
  • hosts: Indicates which host names (domain names) or IPs can use the certificate applied for by this csr, empty or “” means all can be used (there is no hosts field in this example)
  • names: some other properties
  • C: Country, country
  • ST: State, state or province
  • L: Locality Name, region, city
  • O: Organization Name, Organization Name, Company Name (used to specify Group, RBAC binding)
  • OU: Organization Unit Name, Organization Unit Name, Company Department

Generate CA certificate

 ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca

Remember to execute the command in the file directory (cd into it)

QQ%E5%9B%BE%E7%89%8720220829164839.png

Then you can see that several files starting with ca (csr, key, pem) are generated

QQ%E5%9B%BE%E7%89%8720220829164855.png

Please note that this is not a server certificate, the effect of plugging into Pagoda SSL is as shown in the figure

QQ%E5%9B%BE%E7%89%8720220829165202.png

Check the content, the effect is as shown in the figure

 ./cfssl-certinfo -cert ca.pem

QQ%E5%9B%BE%E7%89%8720220829165025.png

Configuring Server Certificate Profiles

Change the CA configuration file, adjust the content, rename it, and the effect is as shown in the figure. The first CN is the primary domain name of the SSL certificate.

QQ%E5%9B%BE%E7%89%8720220829165851.png

Generate server certificate related materials

 ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www gov-csr.json | ./cfssljson -bare gov

Please pay attention to check the file name, especially the format of the profile, the first field after = is the configuration type in CA-config, the default is www, and then the space is followed by the csr file name. If the configuration type is not written or written incorrectly, it will be as shown in the figure.

QQ%E5%9B%BE%E7%89%8720220829170302.png

correct as shown

QQ%E5%9B%BE%E7%89%8720220829170313.png

Then these files are generated, csr, key and pem

QQ%E5%9B%BE%E7%89%8720220829170325.png

use

The pem obtained by the server certificate application loses the certificate, and the key loses the private key (which can be distinguished from the begin)

QQ%E5%9B%BE%E7%89%8720220829170354.png

host to see the preview effect

QQ%E5%9B%BE%E7%89%8720220829171002.png

QQ%E5%9B%BE%E7%89%8720220829171017.png

It is not trusted by any platform by default, but you can add trust manually.

For example chrome is here

QQ%E5%9B%BE%E7%89%8720220829171519.png

Manage Certificates – Trusted Root Certification Authorities – Import

can see that these documents are required

QQ%E5%9B%BE%E7%89%8720220829171604.png

I got the CA’s pem and key before, just change the CA’s pem to crt and throw it in. Of course, you can also change the name to crt after merging the pem and key. When I tested it, I put it in after merging, no problem.

QQ%E5%9B%BE%E7%89%8720220829171949.png

QQ%E5%9B%BE%E7%89%8720220829172013.png

Then advanced do not need to move

QQ%E5%9B%BE%E7%89%8720220829172024.png

After this is done, chrome will not jump the prompt.

QQ%E5%9B%BE%E7%89%8720220829172046.png

Then clean up the experimental environment

QQ%E5%9B%BE%E7%89%8720220829172124.png

QQ%E5%9B%BE%E7%89%8720220829172351.png

This article is reprinted from https://www.blueskyxn.com/202208/6491.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment