1. 1. 准备配置文件
-
config.json
这里是全局配置文件,用于设置一些全局默认值以及签名的 profile
This is the Global Configuration1234567891011121314151617181920212223242526272829303132333435363738394041424344454647{"signing": {"default": {"ocsp_url": "http://ocsp.example.com/ocsp","crl_url": "http://crl.example.com/crl/list.crl","expiry": "8760h","usages": ["signing","key encipherment","client auth","server auth"]},"profiles": {"intermediate-ca": {"expiry": "87600h","usages": ["digital signature","cert sign","crl sign"],"ca_constraint": {"is_ca": true,"max_path_len": 0,"max_path_len_zero": true}},"server": {"expiry": "43800h","usages": ["signing","key encipherment","server auth","client auth"]},"client": {"expiry": "43800h","usages": ["signing","key encipherment","client auth"]}}}} -
csr_root_ca.json
这里是根CA的证书配置,由于CA是自签,所以无法通过 config.json 中的 signing - profiles 定义一些字段,必须在这里定义
This is the configuration for Root CA. We are not able to define some fields insidesigning: profilesofconfig.json, cause the Root CA is self-signed. So we have to define it here.123456789101112131415161718{"CN":"The one true Root CA","key": {"algo": "rsa","size": 4096},"names": [{"C": "CN","L": "Beijing","O": "Test Corp","OU": "Test Dep"}],"ca":{"expiry": "175200h"}} -
csr_intermediate_ca.json
中间CA的证书配置,部分没有定义的字段(比如过期时间),会使用 config.json 中对应 profile 的配置
Configuration for intermediate CA, some fields will be taken from corresponding profile inconfig.json, such as "expiry".123456789101112131415{"CN":"Intermediate CA for XXXX","key": {"algo": "rsa","size": 4096},"names": [{"C": "CN","L": "Beijing","O": "Test Corp","OU": "Test Dep"}]} -
csr_end_entity.json
最终证书的配置 / Configuration for End Entity Certs12345678910111213141516{"CN": "client","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Beijing","O": "Test Corp","OU": "Test Dep"}],"Hosts": []} -
db-config.json
1234{"driver":"mysql","data_source":"username:password@tcp(127.0.0.1:3306)/database?parseTime=true"}
2. 运行 cfssl 命令 / Run Command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash # 创建自签名 CA 证书 / Create a self-signed cert as Root CA cfssl gencert -initca -config config.json -profile ca csr_root_ca.json | cfssljson -bare root_ca # 创建中间 CA 证书 / Create Intermediate CA cert # 请在 csr_intermediate_ca.json 中配置合适的 CN 字段 / you need to set the CN field in csr_intermediate_ca.json cfssl gencert -ca root_ca.pem -ca-key root_ca-key.pem -config config.json -profile intermediate-ca csr_intermediate_ca.json | cfssljson -bare intermediate_ca # 创建服务端证书 / Create Server Cert # 请在 csr_end_entity.json 中配置合适的 CN 和 hosts 字段 / You need to set the CN and hosts field in csr_end_entity.json cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config config.json -profile server csr_end_entity.json | cfssljson -bare server1 # 创建设备端证书 / Create Client Cert # 请在 csr_end_entity.json 中配置合适的CN字段,并清空 hosts 字段 / You need to set the CN and unset hosts field in csr_end_entity.json cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config config.json -profile client csr_end_entity.json | cfssljson -bare client ## 以上 gencert 命令可以拆分为 genkey + sign 两步操作, 这样可以传递 -db-config, 并将证书写入数据库(用于的crl和ocsp数据的生成) ## 'gencert' commands above could be split into two operations: genkey and sign, only in this way can we use '-db-config' to specify the database and the certs will be written to DB ## (DB is necessary for generating CRL and OCSP) cfssl genkey -config config.json csr_end_entity.json | cfssljson -bare server cfssl sign -config config.json -db-config dbconfig.json -csr server.csr -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -profile server | cfssljson -bare server |