Warning

This version of ScalarDL is no longer supported. For details, see the Release Support Policy.

How to start CA sever with CFSSL

This document describes how to start CA server with CFSSL.

Prerequisites

We basically use CFSSL components for CA server and certificate handling.

Create a Root CA certificate

Create a CSR file in json format as follows.

[ca-csr.json]
{
  "CN": "Sample Root CA",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C":  "JP",
      "L":  "Tokyo",
      "O":  "Sample Root CA",
      "ST": "Tokyo"
    }
  ]
}

Generate a self-signed certificate and a private key based on the CSR.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca

$ ls
ca-csr.json ca-key.pem  ca.csr      ca.pem

Create a database for storing certificates

it needs a database for storing keys/certificate information. CFSSL currently supports MySQL, PostgreSQL and SQLite. We use SQLite this time for simplicity.

$ go get bitbucket.org/liamstask/goose/cmd/goose   
$ goose -path $GOPATH/src/github.com/cloudflare/cfssl/certdb/sqlite up

This will create a certstore_development.db in the current location.

Create configration files for CA server

Configure signing algorithm, endpoint url and usages e imtermediate servers etc. It assumes the server runs in a local environment only.

[cfssl-config.json]
{
  "signing": {
    "default": {
      "ocsp_url": "http://localhost:8889",
      "crl_url": "http://localhost:8888/crl",
      "expiry": "26280h",
      "usages": [
        "signing",
        "key encipherment",
        "client auth"
      ]
    },
    "profiles": {
      "ocsp": {
        "usages": ["digital signature", "ocsp signing"],
        "expiry": "26280h"
      },
      "intermediate": {
        "usages": ["cert sign", "crl sign"],
        "expiry": "26280h",
        "ca_constraint": {"is_ca": true}
      },
      "server": {
        "usages": ["signing", "key encipherment", "server auth"],
        "expiry": "26280h"
      },
      "client": {
        "usages": ["signing", "key encipherment", "client auth"],
        "expiry": "26280h"
      }
    }
  }
}

TODO: explore more about the configuration

Then, create a config file for database to point at the database file created in the previous section.

[db-config.json]
{
  "driver":"sqlite3",
  "data_source":"certstore_development.db"
}

Create an intermediate CA certificate

This step is similar to generating root ca cert.

[server-ca.csr.json]
{
  "CN": "Sample Intermediate CA",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C":  "JP",
      "L":  "Tokyo",
      "O":  "Sample Intermediate CA",
      "ST": "Tokyo"
    }
  ]
}

The main differences are specifying the Root CA (-ca -ca-key) and the cfssl config (-cfssl-config) instead of -initca option.

$ cfssl gencert -ca ca.pem -ca-key ca-key.pem -config cfssl-config.json -profile "intermediate" server-ca.csr.json | cfssljson -bare ca-server

Generate a OCSP server certificate

NOTE: OCSP is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.

[ocsp.csr.json]
{
  "CN": "Sample OCSP",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C":  "JP",
      "L":  "Tokyo",
      "O":  "Sample OCSP",
      "ST": "Tokyo"
    }
  ]
}
$ cfssl gencert -ca ca-server.pem -ca-key ca-server-key.pem -config cfssl-config.json -profile "ocsp" ocsp.csr.json | cfssljson -bare server-ocsp

Start servers

It’s all ready now. Let’s start the servers.

CA server

$ cfssl serve -db-config db-config.json -ca-key ca-server-key.pem -ca ca-server.pem -config cfssl-config.json -responder server-ocsp.pem -responder-key server-ocsp-key.pem

OCSP server

$ cfssl ocsprefresh -db-config db-config.json -responder server-ocsp.pem -responder-key server-ocsp-key.pem -ca ca-server.pem

// Bundle the Root CA and Intermediate CA
$ cat ca.pem ca-server.pem | tee bundle.pem

// Pre-generate the OCSP response
$ cfssl ocspdump -db-config db-config.json > ocspdump.txt

// Start the server
cfssl ocspserve -port=8889 -responses=ocspdump.txt

References