Creating CA using CFSSL
11/14/20232 min read
CFSSL is a utility from cloudflare with which you can create and manage a CA. It has a quite simple and intuitive CLI, which is much more convenient and easier to use than openssl. I'll show you right away creating a CA and issuing certificates for the needs of an OpenVPN server.
CFSSL is just a binary compiled from GO sources. In the Debian 12 repositories, it lives under the name golang-cfssl:
# apt install golang-cfssl
(https://github.com/cloudflare/cfssl). You can manually download a fresh binary.
For cfssl, you need to prepare configs in json format. This will need to be done 1 time. There is no interactive input like EasyRSA.
Create a simple config for CA release:
<code>
{
"CN": "My Root CA",
"key": {
"algo": "rsa",
"size": 2048
},
"ca": {
"expiry": "87600h"
},
"names": [
{
"C": "US",
"L": "Denver",
"O": "MCSimple Company",
"OU": "OpenVPN",
"ST": "Denver"
}
]
}
</code>
Save as ca-csr.json. The validity period is 10 years.
Generate a key for the CA:
<code>
# mkdir keys && cd keys
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
</code>
Check 3 files:
▪️ ca-key.pem - private key for signing certificates
▪️ ca.pem - certificate of the certifying center
▪️ ca.csr - certificate request
Prepare the configuration of profiles that will be needed for the server and client certificates:
<code>
{
"signing": {
"profiles": {
"server": {
"expiry": "87600h",
"usages": [
"digital signature",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "87600h",
"usages": [
"signing",
"client auth"
]
}
}
}
}
</code>
Save as ca.json.
Create a config for the request, the same as for the CA, but remove the section with the CA:
<code>
{
"CN": "My Root CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Denver",
"O": "MCSimple Company",
"OU": "OpenVPN",
"ST": "Denver"
}
]
}
</code>
Save as csr.json.
Issue a server certificate:
<code>
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
-config=ca.json -profile="server" \
-cn="openvpn.server.local" -hostname="openvpn" \
csr.json | cfssljson -bare server
</code>
check 3 files:
<code>
# ls | grep server
</code>
▪️server.csr
▪️server-key.pem
▪️server.pem
Issue a certificate for the client:
<code>
#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
-config=ca.json -profile="client" \
-cn="client01" -hostname="User 01" \
csr.json | cfssljson -bare client01
</code>
Check:
<code>
# ls | grep client01
</code>
▪️client01.csr
▪️client01-key.pem
▪️client01.pem
That's all. We have prepared a certification center and issued client and server certificates. It looks really more convenient and simpler EasyRSA.
