SSL certificate series tutorial: self-built CA self-signed certificate tutorial and practical demonstration (based on CFSSL open source tool)

Original link:



The domain names, organizations, and related politically sensitive content appearing in this article are all factors used to help understand memory in the temporary debugging and testing environment, and have nothing to do with reality. Do not use for false imitation and illegal use

The server certificate and CA generated in this way are not trusted by any public platform or large enterprises (such as Microsoft, Apple, Google), nor will they obtain domain name resolution rights, which may have a negative impact on your property and personal safety.

Yesterday, I renewed the old article in early 2021 and today another group of friends sent me a few new toys. I saw it, it was interesting, and it didn’t seem to be troublesome. , so let’s learn.

The toy used this time is which looks big enough.


Configure the environment->download the program->configure the CA configuration file->generate the CA related materials->configure the server certificate configuration file->generate the server certificate related materials->use (fine-tune the materials to obtain the required PEM, KEY and other files/configure trust ).

The environment is just Linux, I am Cent OS 7+ Pagoda panel SSH.

download Download all the binary files you want directly to any directory, I put them all in the /root/cfssl folder

You can download it manually, BT panel download, Wget download, etc., just throw it in, and don’t do any tiring commands to install, compile and install, how can it be so troublesome, in short, just move.

Remember to remove the version number from the file name. The main files are cfssl and cfssljson.


Configure CA Profile

Adjust permissions first

 chmod +x cfssl*

If there is still an error, go to tune 777/775/755

Then generate the default configuration to

 ./cfssl print-defaults config > ca-config.json ./cfssl print-defaults csr > ca-csr.json



Then the default configuration reference is shown in the figure



Then you can fine-tune, test, learn, use according to your own situation. For example, the test configuration file is as follows



Please note that the O here will be used as the (pagoda panel) “certificate brand”, and the CN here will be used as the issuer

Generally speaking, RSA2048 can be used for encryption.

Remark entry information (ca-config)

  • kubernetes: Indicates that the purpose of this configuration (profile) is to generate certificates and related verification work for kubernetes
    • signing: Indicates that the certificate can be used to sign other certificates; CA=TRUE in the generated ca.pem certificate
    • server auth: Indicates that the CA can verify the certificate provided by the server
    • client auth: Indicates that the CA can be used to verify the certificate provided by the client
  • expiry: also indicates the expiration time, if not written, the default will prevail

Remark entry information (ca-csr)

  • CN: Common Name, the browser uses this field to verify whether the website is legal, usually the domain name is written. Very important.
  • key: the algorithm for generating the certificate
  • hosts: Indicates which host names (domain names) or IPs can use the certificate applied for by this csr, empty or “” means all can be used (there is no hosts field in this example)
  • names: some other properties
  • C: Country, country
  • ST: State, state or province
  • L: Locality Name, region, city
  • O: Organization Name, Organization Name, Company Name (used to specify Group, RBAC binding)
  • OU: Organization Unit Name, Organization Unit Name, Company Department

Generate CA certificate

 ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca

Remember to execute the command in the file directory (cd into it)


Then you can see that several files starting with ca (csr, key, pem) are generated


Please note that this is not a server certificate, the effect of plugging into Pagoda SSL is as shown in the figure


Check the content, the effect is as shown in the figure

 ./cfssl-certinfo -cert ca.pem


Configuring Server Certificate Profiles

Change the CA configuration file, adjust the content, rename it, and the effect is as shown in the figure. The first CN is the primary domain name of the SSL certificate.


Generate server certificate related materials

 ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www gov-csr.json | ./cfssljson -bare gov

Please pay attention to check the file name, especially the format of the profile, the first field after = is the configuration type in CA-config, the default is www, and then the space is followed by the csr file name. If the configuration type is not written or written incorrectly, it will be as shown in the figure.


correct as shown


Then these files are generated, csr, key and pem



The pem obtained from the server certificate application loses the certificate, and the key loses the private key (which can be distinguished from the begin)


host to see the preview effect



It is not trusted by any platform by default, but you can add trust manually.

For example chrome is here


Manage Certificates – Trusted Root Certification Authorities – Import

can see that these documents are required


I got the CA’s pem and key before, just change the CA’s pem to crt and throw it in. Of course, you can also change the name to crt after merging the pem and key. When I tested it, I put it in after merging, no problem.



Then advanced do not need to move


After this is done, chrome will not jump to the prompt.


Then clean up the experimental environment



This article is reprinted from:
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment