Install CFSSL and CFSSLJSON - CloudFlare's KPI toolkit

Written by Pim on Wednesday January 10, 2018 - Comment - Permalink
Categories: devops, howto - Tags: certificates, pki

The tools CFSSL and CFSSLJSON from CloudFlare make life a lot easier when you have to generate certificate signing requests (CSR), certificates, and keys on a regular basis, or you want to use it as a development tool to automate this for you.

The installation of the tool is pretty straightforward:

$ curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
$ curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
$ chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson

The tools are now ready-to-use!

Generating a CSR is now super easy. First, create a JSON file and save it to disk:

{
    "hosts": [
        "www.my-awesome-company.com"
    ],
    "CN": "www.my-awesome-company.com",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [{
        "C": "NL",
        "L": "Amsterdam",
        "ST": "Noord-Holland",
        "O": "My Company",
        "OU": "Operations"
    }]
}

Then, use the CFSSL and CFSSLJSON tools to generate a CSR and key:

cfssl genkey csr.json | cfssljson -bare my_awesome_company_com

Send the CSR to the CA to receive a signed certificate or sign it yourself:

cfssl selfsign www.my-awesome-company.com csr.json | cfssljson -bare my_awesome_company_com

It's also possible to create your own CA. You need a CA JSON configuration file to enable signing and a JSON file to generate the certificate and key.

ca-csr.json:

{
  "CN": "Dev CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "NL",
      "L": "Amsterdam",
      "ST": "Noord-Holland"
    }
  ]
}

And initialize the CA:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca –

Then create the ca-config.json to configure the signing and profiles:

{
  "signing": {
    "default": {
      "expiry": "168h"
    },
    "profiles": {
      "client": {
        "expiry": "43800h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      }
    }
  }
}

Generate new certificates using your own CA:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client my-cert.json | cfssljson -bare my_certificate

Done for now! Have fun generating CSR, certs, and keys using CFSSL and CFSSLJSON!