Creating and maintening your own certificates
There are hundreds of tutorial on how to create a public certificate (usually let’s encrypt) with private IPs but why do that when you can create your own CA with two simple commands
Before continuing I have to say, we can do exactly the same with openssl command, this tool just make everything way easier
1. Installing tools
What is Cfssl
CFSSL is CloudFlare’s PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates. It requires Go 1.16+ to build.
For now we’re just going to use the binary to create both a CA and a certificate using the command line, our course we can have this running in a cointainer responding API calls
Cfssl
Depending on your favorite linux distro
dnf install cfssl
apt install cfssl
2. Setup the environment
Initialize a certificate authority
mkdir -p ~/cfssl/{ca,certs} && cd ~/cfssl
cfssl print-defaults config > ca/ca-config.json
cfssl print-defaults csr > ca/ca-csr.json
You have to tune any setting on your CA like expring times, create diferent profiles, etc
Please review both json files under the ca folder before proceed
Be nice with the expire setting on your CA (at least 5 years)
It’s always recomended to use a passphrase for your CA key file, needed later for creating new certificates
3. Generate a CA
cd ~/cfssl/ca
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
You’ll get following files
ca-key.pem
ca.csr
ca.pem
That’s it you can now distribute your new CA (ca.pem) just install it on any device as certificate
Never distribute the ca-key.pem file, that one is used to sign any new certificate you create
4. Generate server certificate
Create a certificate request and edit Json file according to your data
cfssl print-defaults csr > server.json
5. Sign the certificate request and return it
run command to create the certs using profile www
cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca/ca-config.json -profile=www certs/server.json | cfssljson -bare server
You’ll get following files
You can distribute these files to any webserver or system you need
server-key.pem
server.csr
server.pem
note: Certs must be 19800h or less to be valid in safari https://support.apple.com/en-us/HT210176
6. Verify data CA or Cert
openssl x509 -in ca.pem -text -noout
openssl x509 -in server.pem -text -noout
openssl x509 -in client.pem -text -noout