{"id":16366633,"url":"https://github.com/centminmod/cfssl-ca-ssl","last_synced_at":"2025-10-26T07:30:35.133Z","repository":{"id":55527071,"uuid":"294707558","full_name":"centminmod/cfssl-ca-ssl","owner":"centminmod","description":null,"archived":false,"fork":false,"pushed_at":"2022-05-24T18:52:17.000Z","size":304,"stargazers_count":11,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-31T16:41:56.343Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/centminmod.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-09-11T13:48:36.000Z","updated_at":"2024-12-08T01:31:01.000Z","dependencies_parsed_at":"2022-08-15T02:31:01.202Z","dependency_job_id":null,"html_url":"https://github.com/centminmod/cfssl-ca-ssl","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcfssl-ca-ssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcfssl-ca-ssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcfssl-ca-ssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fcfssl-ca-ssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/centminmod","download_url":"https://codeload.github.com/centminmod/cfssl-ca-ssl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238284727,"owners_count":19446717,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-11T02:47:05.492Z","updated_at":"2025-10-26T07:30:29.841Z","avatar_url":"https://github.com/centminmod.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"Using [cfssl](https://github.com/cloudflare/cfssl) to generate a CA certificate/key and to sign server, client and peer self-signed SSL certificates with it. Mainly intended for [Centmin Mod LEMP stack](https://centminmod.com) installations on CentOS 7.x for creating Nginx based TLS/SSL client certificate authentication via [ssl_client_certificate](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate) and [ssl_verify_client](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client) directives using [gen-client option](#client-ssl-certificate).\n\n# cfssl-ca-ssl.sh Contents\n\n\n* [Usage](#usage)\n* [CA Certificate](#ca-certificate)\n* [Server Wildcard SSL Certificate](#server-wildcard-ssl-certificate)\n* [Server SSL Certificate](#server-ssl-certificate)\n* [Client SSL Certificate](#client-ssl-certificate)\n* [Peer Wildcard SSL Certificate](#peer-wildcard-ssl-certificate)\n* [Peer SSL Certificate](#peer-wildcard-ssl-certificate)\n* [Nginx Configuration](#nginx-configuration)\n* [Browser Client TLS Authentication](#browser-client-tls-authentication)\n* [Curl Client TLS Authentication](#curl-client-tls-authentication)\n* [Selfsigned SSL Wildcard Certificate](#selfsigned-ssl-wildcard-certificate)\n* [Create Cloudflare Origin CA Certificate](#create-cloudflare-origin-ca-certificate)\n* [List Cloudflare Origin CA Certificates](#list-cloudflare-origin-ca-certificates)\n\n# Usage\n\nThere are 7 options\n\n* `gen-ca` - used to generate the CA Root and CA Intermediate certificates where CA Intermediate is signed by CA Root and it accepts 2 arguments. [[jump to section](#ca-certificate)]\n  * First argument is the intended CA domain prefix label for the certificates - specify centminmod.com would label name certs as `/etc/cfssl/centminmod.com-ca.pem`, `/etc/cfssl/centminmod.com-ca-intermediate.pem` and bundle as `/etc/cfssl/centminmod.com-ca-bundle.pem`.\n  * The second argument is how long the certificate expiry is in hours i.e. 87600 hrs = 10 yrs, 43800 hrs = 5 yrs. This allows for creating multiple CA Root/CA Intermediate/CA Bundle grouped by domain file name.\n* `gen-server` - used to generate server self-signed SSL certificates with x509v3 Extended Key Usage = `TLS Web Server Authentication`. [[jump to section](#server-ssl-certificate)]\n  * First argument defines the CA Intermediate prefix labeled domain defined which is used to sign the server self-signed SSL certificate.\n  * The second argument is how long the certificate expiry is in hours i.e. 87600 hrs = 10 yrs, 43800 hrs = 5 yrs. \n  * The third argument defines a subdomain name or special `wildcard` option - which when specified adds `*.domain.com` to the certificate SANs (Subject Alternative Name) entries. Example at [Server Wildcard SSL Certificate](#server-wildcard-ssl-certificate).\n  * The forth argument is the intended domain name for self-signed SSL certificate.\n  * You need to have prior ran the `gen-ca` option for this option to work as it needs the CA Intermediate certificate to sign the server self-signed SSL certificate.\n* `gen-client` - used to generate client self-signed SSL certificates with x509v3 Extended Key Usage = `TLS Web Client Authentication`. [[jump to section](#client-ssl-certificate)].  Full example shown below in [Browser Client TLS Authentication](#browser-client-tls-authentication) and [Curl Client TLS Authentication](#curl-client-tls-authentication) sections. Also included in output are examples of using generated custom client TLS certificates for [Cloudflare Authenticated Origin Pull custom apex domain client TLS certificates](#cloudflare-authenticated-origin-pull-custom-apex-domain-client-tls-certificate-upload) and [Cloudflare Authenticated Origin pull custom per hostname client TLS certificates](#cloudflare-authenticated-origin-pull-custom-hostname-domain-client-tls-certificate-upload).\n  * First argument defines the CA Intermediate prefix labeled domain defined which is used to sign the server self-signed SSL certificate.\n  * The second argument is how long the certificate expiry is in hours i.e. 87600 hrs = 10 yrs, 43800 hrs = 5 yrs. \n  * The third argument defines a subdomain name.\n  * The forth argument is the intended domain name for self-signed SSL certificate.\n  * You need to have prior ran the `gen-ca` option for this option to work as it needs the CA Intermediate certificate to sign the client self-signed SSL certificate.\n* `gen-peer` - used to generate peer self-signed SSL certificates with x509v3 Extended Key Usage = `TLS Web Server Authentication` + `TLS Web Client Authentication`. [[jump to section](#peer-wildcard-ssl-certificate)]\n  * First argument defines the CA Intermediate prefix labeled domain defined which is used to sign the server self-signed SSL certificate.\n  * The second argument is how long the certificate expiry is in hours i.e. 87600 hrs = 10 yrs, 43800 hrs = 5 yrs. \n  * The third argument defines a subdomain name or special `wildcard` option - which when specified adds `*.domain.com` to the certificate SANs (Subject Alternative Name) entries. Example at [Peer Wildcard SSL Certificate](#peer-wildcard-ssl-certificate).\n  * The forth argument is the intended domain name for self-signed SSL certificate.\n  * You need to have prior ran the `gen-ca` option for this option to work as it needs the CA Intermediate certificate to sign the peer self-signed SSL certificate.\n* `selfsigned` - standalone selfsigned SSL wildcard certificate generation routine. [[jump to section](#selfsigned-ssl-wildcard-certificate)]\n* `cforigin-cert-list` - allows you to list all Cloudflare Origin CA certificates you have created for your specific Cloudflare domain zone account which are used to setup HTTPS and SSL on your origin web server for use with [Cloudflare Full Strict SSL mode](#with-cloudflare-full-strict-ssl-mode). [[jump to section](#list-cloudflare-origin-ca-certificates)]\n* `cforigin-create` - allows you to create your own Cloudflare Origina CA certificates via Cloudflare API using your Cloudflare Zone ID and Cloudflare `X-AUTH-USER-SERVICE-KEY` credentials for setting up HTTPS and SSL on your origin web server for use with [Cloudflare Full Strict SSL mode](#with-cloudflare-full-strict-ssl-mode). [[jump to section](#create-cloudflare-origin-ca-certificate)]\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh\n\nUsage:\n\nGenerate CA certificate \u0026 keys\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-ca domain.com expiryhrs\n\nGenerate TLS server certificate \u0026 keys\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-server ca-domain.com expiryhrs server sitedomain.com\n\nGenerate TLS server wildcard certificate \u0026 keys\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-server ca-domain.com expiryhrs wildcard sitedomain.com\n\nGenerate TLS Client certificate \u0026 keys\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-client ca-domain.com expiryhrs client sitedomain.com\n\nGenerate TLS Peer certificate \u0026 keys\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-peer ca-domain.com expiryhrs peer sitedomain.com\n\nGenerate TLS Peer wildcard certificate \u0026 keys\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh selfsigned domain.com expiryhrs ecc|rsa\n\nCloudflare Origin CA Certificate List configured in /etc/cfssl/cfssl.ini\n./cfssl-ca-ssl.sh cforigin-cert-list\n./cfssl-ca-ssl.sh cforigin-cert-list zoneid\n\nCreate Cloudflare Origin CA Certificate\n./cfssl-ca-ssl.sh cforigin-create domain.com\n./cfssl-ca-ssl.sh cforigin-create domain.com zoneid\n```\n\n# CA Certificate\n\nGenerate CA \u0026 CA Intermediate signed certificates for centminmod.com with 87600 hrs expiry = 10yrs with:\n\n* CA certificate /etc/cfssl/centminmod.com-ca.pem\n* CA certificate private key /etc/cfssl/centminmod.com-ca-key.pem\n* CA certificate public key /etc/cfssl/centminmod.com-ca-publickey.pem\n* CA Intermediate certificate /etc/cfssl/centminmod.com-ca-intermediate.pem\n* CA Intermediate certificate private key /etc/cfssl/centminmod.com-ca-intermediate-key.pem\n* CA Intermediate certificate public key /etc/cfssl/centminmod.com-ca-intermediate-publickey.pem\n* CA Bundle certificate /etc/cfssl/centminmod.com-ca-bundle.pem\n* cleanup certs script: /etc/cfssl/cleanup/remove-ca-centminmod.com.sh\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-ca centminmod.com 87600\n--------------------------------------\nCA generation\n--------------------------------------\n\ncfssl gencert -initca centminmod.com-ca.csr.json | cfssljson -bare centminmod.com-ca\n\n2022/05/24 16:11:57 [INFO] generating a new CA key and certificate from CSR\n2022/05/24 16:11:57 [INFO] generate received request\n2022/05/24 16:11:57 [INFO] received CSR\n2022/05/24 16:11:57 [INFO] generating key: ecdsa-256\n2022/05/24 16:11:57 [INFO] encoded CSR\n2022/05/24 16:11:57 [INFO] signed certificate with serial number 35651131195992397763074176049994050494553241085\n\nopenssl x509 -in /etc/cfssl/centminmod.com-ca.pem -text -noout\n\nExtract CA Root certificate public key: /etc/cfssl/centminmod.com-ca-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/centminmod.com-ca.pem \u003e /etc/cfssl/centminmod.com-ca-publickey.pem\ncat /etc/cfssl/centminmod.com-ca-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkxxxKoZIzj0CAQYIKoZIzj0DAQcDQgAEo9o5Iwre92nyepKbBFAXSprTNj78\nZfa5XLU+8qanijuSAca8aXmCchsrNARbKYQhnUT7F1n69Z3lz1G3h6PppQ==\n-----END PUBLIC KEY-----\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            06:3e:a6:ea:4d:a3:f8:02:4a:1e:58:ef:d1:89:4a:01:d2:c9:b5:fd\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Root CA, CN=Root CA\n        Validity\n            Not Before: May 24 16:07:00 2022 GMT\n            Not After : May 21 16:07:00 2032 GMT\n        Subject: C=US, ST=CA, L=San Francisco, OU=Root CA, CN=Root CA\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:a3:da:39:23:0a:de:f7:69:f2:7a:92:9b:04:50:\n                    17:4a:9a:d3:36:3e:fc:65:f6:b9:5c:b5:3e:f2:a6:\n                    a7:8a:3b:92:01:c6:bc:69:79:82:72:1b:2b:34:04:\n                    5b:29:84:21:9d:44:fb:17:59:fa:f5:9d:e5:cf:51:\n                    b7:87:a3:e9:a5\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Certificate Sign, CRL Sign\n            X509v3 Basic Constraints: critical\n                CA:TRUE\n            X509v3 Subject Key Identifier: \n                42:xx:64:10:3A:B3:BF:87:4F:B3:E2:17:B0:DA:4C:D3:2C:BF:42:2A\n    Signature Algorithm: ecdsa-with-SHA256\n         30:44:02:20:6f:ac:43:08:ff:e8:50:ad:d3:0c:3b:ca:19:b7:\n         46:30:e6:6f:0d:7b:57:81:4d:33:9f:5d:7a:bc:b2:e7:fd:fc:\n         02:20:22:e0:c3:6d:8b:e2:3b:37:77:93:92:67:3c:9b:70:b2:\n         66:60:c3:c0:cb:e4:ce:15:95:9e:b6:7c:5f:f6:14:dc\n\nca cert: /etc/cfssl/centminmod.com-ca.pem\nca private key: /etc/cfssl/centminmod.com-ca-key.pem\nca public key: /etc/cfssl/centminmod.com-ca-publickey.pem\nca csr: /etc/cfssl/centminmod.com-ca.csr\nca csr profile: /etc/cfssl/centminmod.com-ca.csr.json\nca profile: /etc/cfssl/profile.json\n\n{\n  \"subject\": {\n    \"common_name\": \"Root CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Root CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Root CA\",\n      \"Root CA\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Root CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Root CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Root CA\",\n      \"Root CA\"\n    ]\n  },\n  \"serial_number\": \"35651131195992397763074176049994050494553241085\",\n  \"not_before\": \"2022-05-24T16:07:00Z\",\n  \"not_after\": \"2032-05-21T16:07:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"\",\n  \"subject_key_id\": \"42:xx:64:10:3A:B3:BF:87:4F:B3:E2:17:B0:DA:4C:D3:2C:BF:42:2A\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIIB7zCCAZagAwIBAgIUBj6m6k2j+AJKHljv0YlKAdLJtf0wCgYIKoZIzj0EAwIw\\nVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRAwDgYDVQQLEwdSb290IENBMRAwDgYDVQQDEwdSb290IENBMB4XDTIyMDUy\\nNDE2MDcwMFoXDTMyMDUyMTE2MDcwMFowVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgT\\nAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRAwDgYDVQQLEwdSb290IENBMRAw\\nDgYDVQQDEwdSb290IENBMFkxxxKoZIzj0CAQYIKoZIzj0DAQcDQgAEo9o5Iwre\\n92nyepKbBFAXSprTNj78Zfa5XLU+8qanijuSAca8aXmCchsrNARbKYQhnUT7F1n6\\n9Z3lz1G3h6PppaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w\\nHQYDVR0OBBYEFELUZBA6s7+HT7PiF7DaTNMsv0IqMAoGCCqGSM49BAMCA0cAMEQC\\nIG+sQwj/6FCt0ww7yhm3RjDmbw17V4FNM59deryy5/38AiAi4MNti+I7N3eTkmc8\\nm3CyZmDDwMvkzhWVnrZ8X/YU3A==\\n-----END CERTIFICATE-----\\n\"\n}\n\n--------------------------------------\nCA Intermediate generation\n--------------------------------------\n\ncfssl gencert -initca centminmod.com-ca-intermediate.csr.json | cfssljson -bare centminmod.com-ca-intermediate\n\n2022/05/24 16:11:57 [INFO] generating a new CA key and certificate from CSR\n2022/05/24 16:11:57 [INFO] generate received request\n2022/05/24 16:11:57 [INFO] received CSR\n2022/05/24 16:11:57 [INFO] generating key: ecdsa-256\n2022/05/24 16:11:57 [INFO] encoded CSR\n2022/05/24 16:11:57 [INFO] signed certificate with serial number 310941443649610619220709820661281448885533827331\n\ncfssl sign -ca /etc/cfssl/centminmod.com-ca.pem -ca-key /etc/cfssl/centminmod.com-ca-key.pem -config /etc/cfssl/profile.json -profile intermediate_ca centminmod.comca-intermediate.csr | cfssljson -bare centminmod.com-ca-intermediate\n2022/05/24 16:11:57 [INFO] signed certificate with serial number 607572148517706135605174118526259042263255209665\n\nopenssl x509 -in centminmod.com-ca-intermediate.pem -text -noout\n\nExtract CA Intermediate certificate public key: /etc/cfssl/centminmod.com-ca-intermediate-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/centminmod.com-ca-intermediate.pem \u003e /etc/cfssl/centminmod.com-ca-intermediate-publickey.pem\ncat /etc/cfssl/centminmod.com-ca-intermediate-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkxxxKoZIzj0CAQYIKoZIzj0DAQcDQgAET3aFypl4XFyNr2Hc+SJpbwbdkzpB\n1fZeBGaDMvi/taliCH22hJIfHDLIP0RCaU5e+/mvxDFiDfXSUDt4TXdW/Q==\n-----END PUBLIC KEY-----\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            6a:6c:7a:36:bf:b1:eb:01:e8:c8:24:18:55:bb:ba:c6:e6:5b:d6:c1\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Root CA, CN=Root CA\n        Validity\n            Not Before: May 24 16:07:00 2022 GMT\n            Not After : May 21 16:07:00 2032 GMT\n        Subject: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:4f:76:85:ca:99:78:5c:5c:8d:af:61:dc:f9:22:\n                    69:6f:xx:dd:93:3a:41:d5:f6:5e:04:66:83:32:f8:\n                    bf:b5:a9:62:08:7d:b6:84:92:1f:1c:32:c8:3f:44:\n                    42:69:4e:5e:fb:f9:af:c4:31:62:0d:f5:d2:50:3b:\n                    78:4d:77:56:fd\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign\n            X509v3 Extended Key Usage: \n                TLS Web Server Authentication, TLS Web Client Authentication\n            X509v3 Basic Constraints: critical\n                CA:TRUE, pathlen:0\n            X509v3 Subject Key Identifier: \n                06:xx:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\n            X509v3 Authority Key Identifier: \n                keyid:42:xx:64:10:3A:B3:BF:87:4F:B3:E2:17:B0:DA:4C:D3:2C:BF:42:2A\n\n    Signature Algorithm: ecdsa-with-SHA256\n         30:45:02:20:69:4c:8c:b7:e9:65:6d:ec:11:29:c1:dc:d4:bb:\n         10:9d:1b:fd:2c:42:5a:2c:be:2b:85:f4:db:44:c3:01:be:c8:\n         02:21:00:b5:f7:40:4d:2d:c9:7e:d4:39:50:9a:b5:41:be:9f:\n         fe:5d:33:2c:07:b0:0b:0a:a7:80:4e:a1:35:c0:71:20:e3\n\nca intermediate cert: /etc/cfssl/centminmod.com-ca-intermediate.pem\nca intermediate private key: /etc/cfssl/centminmod.com-ca-intermediate-key.pem\nca intermediate public key: /etc/cfssl/centminmod.com-ca-intermediate-publickey.pem\nca intermediate csr: /etc/cfssl/centminmod.com-ca-intermediate.csr\nca intermediate csr profile: /etc/cfssl/centminmod.com-ca-intermediate.csr.json\nca intermediate profile: /etc/cfssl/profile.json\n\n{\n  \"subject\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Root CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Root CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Root CA\",\n      \"Root CA\"\n    ]\n  },\n  \"serial_number\": \"607572148517706135605174118526259042263255209665\",\n  \"not_before\": \"2022-05-24T16:07:00Z\",\n  \"not_after\": \"2032-05-21T16:07:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"42:xx:64:10:3A:B3:BF:87:4F:B3:E2:17:B0:DA:4C:D3:2C:BF:42:2A\",\n  \"subject_key_id\": \"06:xx:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIIxxxCCAeugAwIBAgIUamx6Nr+x6wHoyCQYVbu6xuZb1sEwCgYIKoZIzj0EAwIw\\nVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRAwDgYDVQQLEwdSb290IENBMRAwDgYDVQQDEwdSb290IENBMB4XDTIyMDUy\\nNDE2MDcwMFoXDTMyMDUyMTE2MDcwMFowZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgT\\nAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlh\\ndGUgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqG\\nSM49AwEHA0IABE92hcqZeFxcja9h3PkiaW8G3ZM6QdX2XgRmgzL4v7WpYgh9toSS\\nHxwyyD9EQmlOXvv5r8QxYg310lA7eE13Vv2jgYYwgYMwDgYDVR0PAQH/BAQDAgGm\\nMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/\\nAgEAMB0GA1UdDgQWBBQGaefF8v06LjDXH31/ud6bUrnUdzAfBgNVHSMEGDAWgBRC\\n1GQQOrO/h0+z4hew2kzTLL9CKjAKBggqhkjOPQQDAgNIADBFAiBpTIy36WVt7BEp\\nwdzUuxCdG/0sQlosviuF9NtEwwG+yAIhALX3QE0tyX7UOVCatUG+n/5dMywHsAsK\\np4BOoTXAcSDj\\n-----END CERTIFICATE-----\\n\"\n}\n\nCA Bundle generated: /etc/cfssl/centminmod.com-ca-bundle.pem\n\ncat /etc/cfssl/centminmod.com-ca.pem /etc/cfssl/centminmod.com-ca-intermediate.pem \u003e /etc/cfssl/centminmod.com-ca-bundle.pem\n\nCleanup script created: /etc/cfssl/cleanup/remove-ca-centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-ca-centminmod.com.sh\n```\n\n# Server Wildcard SSL Certificate\n\nGenerate self-signed server wildcard SSL certificate with CA signing for centminmod.com with `TLS Web Server Authentication` using `wildcard` option.\n\n* server cert: /etc/cfssl/servercerts/centminmod.com.pem\n* server private key: /etc/cfssl/servercerts/centminmod.com-key.pem\n* server public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\n* server csr: /etc/cfssl/servercerts/centminmod.com.csr\n* server csr profile: /etc/cfssl/servercerts/centminmod.com.csr.json\n* cleanup certs script: /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-server centminmod.com 87600 wildcard centminmod.com\n\ncfssl gencert -config /etc/cfssl/profile.json -profile server -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.com-ca-intermediate-key.pem centminmod.com.csr.json \u003e centminmod.com.json\n2022/05/24 16:18:47 [INFO] generate received request\n2022/05/24 16:18:47 [INFO] received CSR\n2022/05/24 16:18:47 [INFO] generating key: ecdsa-256\n2022/05/24 16:18:47 [INFO] encoded CSR\n2022/05/24 16:18:47 [INFO] signed certificate with serial number 111006835185520546510962729424954801507256110809\n\ncfssljson -f centminmod.com.json -bare centminmod.com\n\nExtract server certificate public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/servercerts/centminmod.com.pem \u003e /etc/cfssl/servercerts/centminmod.com-publickey.pem\ncat /etc/cfssl/servercerts/centminmod.com-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkwEwxxxxZIzj0CAQYIKoZIzj0DAQcDQgAEBcfb3+p1agsC8vcu5dh80j9XdxYB\nPFjWYvZH4IYko6cRZacaRwv6LkwYwbbUflyc+ZIGlCpjZjsADNi2RAtQvw==\n-----END PUBLIC KEY-----\n\n\nopenssl x509 -in /etc/cfssl/servercerts/centminmod.com.pem -text -noout\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            13:71:xx:f9:28:79:43:a4:62:d2:b8:fd:07:ae:4b:37:64:42:0e:d9\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Validity\n            Not Before: May 24 16:14:00 2022 GMT\n            Not After : May 21 16:14:00 2032 GMT\n        Subject: C=US, ST=CA, L=San Francisco, CN=centminmod.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:05:c7:db:df:ea:75:6a:0b:02:f2:f7:2e:e5:d8:\n                    7c:xx:3f:57:77:16:01:3c:58:d6:62:f6:47:e0:86:\n                    24:a3:a7:11:65:a7:1a:47:0b:fa:2e:4c:18:c1:b6:\n                    d4:7e:5c:9c:f9:92:06:94:2a:63:66:3b:00:0c:d8:\n                    b6:44:0b:50:bf\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment\n            X509v3 Extended Key Usage: \n                TLS Web Server Authentication\n            X509v3 Basic Constraints: critical\n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                31:8A:xx:31:33:11:6F:3F:CE:89:FC:8A:8C:F6:B5:26:5C:E4:26:05\n            X509v3 Authority Key Identifier: \n                keyid:06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\n\n            X509v3 Subject Alternative Name: \n                DNS:centminmod.com, DNS:*.centminmod.com\n    Signature Algorithm: ecdsa-with-SHA256\n         30:45:02:21:00:ed:d8:70:f9:a8:f0:6f:73:ab:be:3f:55:6f:\n         ea:1b:cc:c4:c5:69:fd:f6:fe:ad:42:68:71:db:1d:64:9d:2a:\n         0d:02:20:69:da:d8:91:e1:40:e4:8b:75:8c:fb:97:ff:0c:cf:\n         46:66:76:8f:e0:4f:39:1f:3a:31:40:52:be:23:27:cb:3e\n\nserver cert: /etc/cfssl/servercerts/centminmod.com.pem\nserver private key: /etc/cfssl/servercerts/centminmod.com-key.pem\nserver public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\nserver csr: /etc/cfssl/servercerts/centminmod.com.csr\nserver csr profile: /etc/cfssl/servercerts/centminmod.com.csr.json\n\nNginx SSL configuration paramaters:\nssl_certificate      /etc/cfssl/servercerts/centminmod.com.pem;\nssl_certificate_key  /etc/cfssl/servercerts/centminmod.com-key.pem;\n\n{\n  \"subject\": {\n    \"common_name\": \"centminmod.com\",\n    \"country\": \"US\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"centminmod.com\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"serial_number\": \"111006835185520546510962729424954801507256110809\",\n  \"sans\": [\n    \"centminmod.com\",\n    \"*.centminmod.com\"\n  ],\n  \"not_before\": \"2022-05-24T16:14:00Z\",\n  \"not_after\": \"2032-05-21T16:14:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\",\n  \"subject_key_id\": \"31:8A:xx:31:33:11:6F:3F:CE:89:FC:8A:8C:F6:B5:26:5C:E4:26:05\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIICTxxxAfSgAwIBAgIUE3G3+Sh5Q6Ri0rj9B65LN2RCDtkwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjE0MDBaFw0zMjA1MjExNjE0MDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFx9vf\\n6nVqCwLy9y7l2HzSP1d3FgE8WNZi9kfghiSjpxFlpxpHC/ouTBjBttR+XJz5kgaU\\nKmNmOwAM2LZEC1C/o4GdMIGaMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQxiocxMxFvP86J/IqM9rUm\\nXOQmBTAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAlBgNVHREEHjAc\\nggtjZW50bWluLmRldoINKi5jZW50bWluLmRldjAKBggqhkjOPQQDAgNIADBFAiEA\\n7dhw+ajwb3Orvj9Vb+obzMTFaf32/q1CaHHbHWSdKg0CIGna2JHhQOSLdYz7l/8M\\nz0Zmdo/gTzkfOjFAUr4jJ8s+\\n-----END CERTIFICATE-----\\n\"\n}\n\nverify certificate\n\nopenssl verify -CAfile /etc/cfssl/centminmod.com-ca-bundle.pem /etc/cfssl/servercerts/centminmod.com.pem\n/etc/cfssl/servercerts/centminmod.com.pem: OK\n\nCleanup script created: /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\n```\n\n# Server SSL Certificate\n\nGenerate self-signed server SSL certificate with CA signing for centminmod.com with `TLS Web Server Authentication`\n\n* server cert: /etc/cfssl/servercerts/centminmod.com.pem\n* server private key: /etc/cfssl/servercerts/centminmod.com-key.pem\n* server public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\n* server csr: /etc/cfssl/servercerts/centminmod.com.csr\n* server csr profile: /etc/cfssl/servercerts/centminmod.com.csr.json\n* cleanup certs script: /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\n\ndomain with www subdomain inclusion tag `www centminmod.com` on end\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-server centminmod.com 87600 www centminmod.com\n\ncfssl gencert -config /etc/cfssl/profile.json -profile server -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.com-ca-intermediate-key.pem centminmod.com.csr.json \u003e centminmod.com.json\n2022/05/24 16:27:48 [INFO] generate received request\n2022/05/24 16:27:48 [INFO] received CSR\n2022/05/24 16:27:48 [INFO] generating key: ecdsa-256\n2022/05/24 16:27:48 [INFO] encoded CSR\n2022/05/24 16:27:48 [INFO] signed certificate with serial number 397208991870665559551094003120075055800797186423\n\ncfssljson -f centminmod.com.json -bare centminmod.com\n\nExtract server certificate public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/servercerts/centminmod.com.pem \u003e /etc/cfssl/servercerts/centminmod.com-publickey.pem\ncat /etc/cfssl/servercerts/centminmod.com-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoxxxj0CAQYIKoxxxj0DAQcDQgAEW9uOWWGDII4IjaVqajTIDxNUaEuv\n64eAsDtkJ9LxbVpr0QQSu+7cH/kXsl+toxsMz2ykGG+pYCMktqmq7GgudA==\n-----END PUBLIC KEY-----\n\n\nopenssl x509 -in /etc/cfssl/servercerts/centminmod.com.pem -text -noout\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            45:93:77:9b:19:76:18:0a:dc:d6:d5:86:9d:0d:60:16:b1:99:49:77\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Validity\n            Not Before: May 24 16:23:00 2022 GMT\n            Not After : May 21 16:23:00 2032 GMT\n        Subject: C=US, ST=CA, L=San Francisco, CN=centminmod.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:5b:xx:8e:59:61:83:20:8e:08:8d:a5:6a:6a:34:\n                    c8:0f:13:54:68:4b:af:eb:87:80:b0:3b:64:27:d2:\n                    f1:6d:5a:6b:d1:04:12:bb:ee:dc:1f:f9:17:b2:5f:\n                    ad:a3:1b:0c:cf:6c:a4:18:6f:a9:60:23:24:b6:a9:\n                    aa:ec:68:2e:74\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment\n            X509v3 Extended Key Usage: \n                TLS Web Server Authentication\n            X509v3 Basic Constraints: critical\n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                5E:xx:CA:1F:26:72:18:75:3E:6F:AD:F3:D9:79:AA:FE:58:C6:3A:54\n            X509v3 Authority Key Identifier: \n                keyid:06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\n\n            X509v3 Subject Alternative Name: \n                DNS:centminmod.com, DNS:www.centminmod.com\n    Signature Algorithm: ecdsa-with-SHA256\n         30:45:02:20:3d:79:d1:ab:6b:7e:e3:b8:4a:09:8a:21:74:bf:\n         47:38:60:db:25:83:92:55:0a:18:41:c1:14:0f:9b:00:34:11:\n         02:21:00:e7:5e:f3:12:2f:af:65:09:a6:1f:2b:bf:8e:e3:1b:\n         67:e2:3c:d3:45:07:f8:7d:f5:b6:69:f4:c2:a4:a0:ab:98\n\nserver cert: /etc/cfssl/servercerts/centminmod.com.pem\nserver private key: /etc/cfssl/servercerts/centminmod.com-key.pem\nserver public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\nserver csr: /etc/cfssl/servercerts/centminmod.com.csr\nserver csr profile: /etc/cfssl/servercerts/centminmod.com.csr.json\n\nNginx SSL configuration paramaters:\nssl_certificate      /etc/cfssl/servercerts/centminmod.com.pem;\nssl_certificate_key  /etc/cfssl/servercerts/centminmod.com-key.pem;\n\n{\n  \"subject\": {\n    \"common_name\": \"centminmod.com\",\n    \"country\": \"US\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"centminmod.com\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"serial_number\": \"397208991870665559551094003120075055800797186423\",\n  \"sans\": [\n    \"centminmod.com\",\n    \"www.centminmod.com\"\n  ],\n  \"not_before\": \"2022-05-24T16:23:00Z\",\n  \"not_after\": \"2032-05-21T16:23:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\",\n  \"subject_key_id\": \"5E:xx:CA:1F:26:72:18:75:3E:6F:AD:F3:D9:79:AA:FE:58:C6:3A:54\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIICUDxxxxxxagAwIBAgIURZN3mxl2GArc1tWGnQ1gFrGZSXcwCgYIKoxxxj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjIzMDBaFw0zMjA1MjExNjIzMDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARb245Z\\nYYMgjgiNpWpqNMgPE1RoS6/rh4CwO2Qn0vFtWmvRBBK77twf+ReyX62jGwzPbKQY\\nb6lgIyS2qarsaC50o4GfMIGcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRefsofJnIYdT5vrfPZear+\\nWMY6VDAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAnBgNVHREEIDAe\\nggtjZW50bWluLmRldoIPd3d3LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUC\\nID150atrfuO4SgmKIXS/Rzhg2yWDklUKGEHBFA+bADQRAiEA517zEi+vZQmmHyu/\\njuMbZ+I800UH+H31tmn0wqSgq5g=\\n-----END CERTIFICATE-----\\n\"\n}\n\nverify certificate\n\nopenssl verify -CAfile /etc/cfssl/centminmod.com-ca-bundle.pem /etc/cfssl/servercerts/centminmod.com.pem\n/etc/cfssl/servercerts/centminmod.com.pem: OK\n\nCleanup script created: /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\n```\n\ndomain without `www` inclusion\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-server centminmod.com 87600\n\ncfssl gencert -config /etc/cfssl/profile.json -profile server -cn centminmod.com -hostname centminmod.com -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.comca-intermediate-key.pem centminmod.com.csr.json \u003e centminmod.com.json\n2020/09/15 04:48:08 [INFO] generate received request\n2020/09/15 04:48:08 [INFO] received CSR\n2020/09/15 04:48:08 [INFO] generating key: ecdsa-256\n2020/09/15 04:48:08 [INFO] encoded CSR\n2020/09/15 04:48:08 [INFO] signed certificate with serial number 140820043231818578684879409252138385441644214993\n\ncfssljson -f centminmod.com.json -bare centminmod.com\n\nExtract server certificate public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/servercerts/centminmod.com.pem \u003e /etc/cfssl/servercerts/centminmod.com-publickey.pem\ncat /etc/cfssl/servercerts/centminmod.com-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdnfzFkpww6jbVdafUN0p9RjNXm1Q\nj1bxQhjZDiOOAb1MqnihBxBSuPY2AgXS4mUr6QBqeXtZHqB0rCN/aFFELA==\n-----END PUBLIC KEY-----\n\n\nopenssl x509 -in /etc/cfssl/servercerts/centminmod.com.pem -text -noout\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            18:aa:96:d1:40:fe:73:4c:51:e0:96:00:40:74:55:3d:16:59:fa:d1\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Validity\n            Not Before: Sep 15 04:43:00 2020 GMT\n            Not After : Sep 13 04:43:00 2030 GMT\n        Subject: C=US, ST=CA, L=San Francisco, CN=centminmod.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:76:77:f3:16:4a:70:c3:a8:db:55:d6:9f:50:dd:\n                    29:f5:18:cd:5e:6d:50:8f:56:f1:42:18:d9:0e:23:\n                    8e:01:bd:4c:aa:78:a1:07:10:52:b8:f6:36:02:05:\n                    d2:e2:65:2b:e9:00:6a:79:7b:59:1e:a0:74:ac:23:\n                    7f:68:51:44:2c\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment\n            X509v3 Extended Key Usage: \n                TLS Web Server Authentication\n            X509v3 Basic Constraints: critical\n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                39:A5:43:03:AF:E7:37:8A:2C:FB:99:53:34:7F:23:ED:C5:48:C1:93\n            X509v3 Authority Key Identifier: \n                keyid:81:69:15:57:BD:6C:FE:E4:88:3D:AA:89:FB:30:8A:02:52:B6:30:E8\n\n            X509v3 Subject Alternative Name: \n                DNS:centminmod.com\n    Signature Algorithm: ecdsa-with-SHA256\n         30:45:02:20:6f:5c:85:08:46:b9:04:b8:fb:81:28:06:3f:10:\n         65:99:cb:fe:38:c4:20:d7:be:33:c2:ad:3e:da:a3:75:65:06:\n         02:21:00:b8:f9:d5:5e:9a:1a:38:b4:04:1a:93:c7:18:3b:fe:\n         4f:8e:82:43:b1:78:ab:c1:23:9a:e2:ad:66:db:06:e6:da\n\nserver cert: /etc/cfssl/servercerts/centminmod.com.pem\nserver private key: /etc/cfssl/servercerts/centminmod.com-key.pem\nserver public key: /etc/cfssl/servercerts/centminmod.com-publickey.pem\nserver csr: /etc/cfssl/servercerts/centminmod.com.csr\nserver csr profile: /etc/cfssl/servercerts/centminmod.com.csr.json\n\nNginx SSL configuration paramaters:\nssl_certificate      /etc/cfssl/servercerts/centminmod.com.pem;\nssl_certificate_key  /etc/cfssl/servercerts/centminmod.com-key.pem;\n\n{\n  \"subject\": {\n    \"common_name\": \"centminmod.com\",\n    \"country\": \"US\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"centminmod.com\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"serial_number\": \"140820043231818578684879409252138385441644214993\",\n  \"sans\": [\n    \"centminmod.com\"\n  ],\n  \"not_before\": \"2020-09-15T04:43:00Z\",\n  \"not_after\": \"2030-09-13T04:43:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"81:69:15:57:BD:6C:FE:E4:88:3D:AA:89:FB:30:8A:02:52:B6:30:E8\",\n  \"subject_key_id\": \"39:A5:43:03:AF:E7:37:8A:2C:FB:99:53:34:7F:23:ED:C5:48:C1:93\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIICRTCCAeugAwIBAgIUGKqW0UD+c0xR4JYAQHRVPRZZ+tEwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMDA5MTUwNDQzMDBaFw0zMDA5MTMwNDQzMDBaMEsxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEXMBUG\\nA1UEAxMOY2VudG1pbm1vZC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR2\\nd/MWSnDDqNtV1p9Q3Sn1GM1ebVCPVvFCGNkOI44BvUyqeKEHEFK49jYCBdLiZSvp\\nAGp5e1keoHSsI39oUUQso4GRMIGOMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAK\\nBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ5pUMDr+c3iiz7mVM0\\nfyPtxUjBkzAfBgNVHSMEGDAWgBSBaRVXvWz+5Ig9qon7MIoCUrYw6DAZBgNVHREE\\nEjAQgg5jZW50bWlubW9kLmNvbTAKBggqhkjOPQQDAgNIADBFAiBvXIUIRrkEuPuB\\nKAY/EGWZy/44xCDXvjPCrT7ao3VlBgIhALj51V6aGji0BBqTxxg7/k+OgkOxeKvB\\nI5rirWbbBuba\\n-----END CERTIFICATE-----\\n\"\n}\n\nverify certificate\n\nopenssl verify -CAfile /etc/cfssl/centminmod.com-ca-bundle.pem /etc/cfssl/servercerts/centminmod.com.pem\n/etc/cfssl/servercerts/centminmod.com.pem: OK\n\nCleanup script created: /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-servercert-centminmod.com.sh\n```\n\nGenerate self-signed server SSL certificate with CA signing for server.centminmod.com subdomain with `TLS Web Server Authentication`\n\n* server cert: /etc/cfssl/servercerts/server.centminmod.com.pem\n* server private key: /etc/cfssl/servercerts/server.centminmod.com-key.pem\n* server public key: /etc/cfssl/servercerts/server.centminmod.com-publickey.pem\n* server csr: /etc/cfssl/servercerts/server.centminmod.com.csr\n* server csr profile: /etc/cfssl/servercerts/server.centminmod.com.csr.json\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-server centminmod.com 87600 server centminmod.com\n\ncfssl gencert -config /etc/cfssl/profile.json -profile server -cn server.centminmod.com -hostname server.centminmod.com -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.comca-intermediate-key.pem server.centminmod.com.csr.json \u003e server.centminmod.com.json\n2020/09/15 04:47:35 [INFO] generate received request\n2020/09/15 04:47:35 [INFO] received CSR\n2020/09/15 04:47:35 [INFO] generating key: ecdsa-256\n2020/09/15 04:47:35 [INFO] encoded CSR\n2020/09/15 04:47:35 [INFO] signed certificate with serial number 419336425360932331656433753806248196894946015966\n\ncfssljson -f server.centminmod.com.json -bare server.centminmod.com\n\nExtract server certificate public key: /etc/cfssl/servercerts/server.centminmod.com-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/servercerts/server.centminmod.com.pem \u003e /etc/cfssl/servercerts/server.centminmod.com-publickey.pem\ncat /etc/cfssl/servercerts/server.centminmod.com-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkzCCqNjIXot2hdJ1o0NkLRQPFfbx\nVUQ68o9nuwyouAe5WaPqBsQvOwz5We1m8vCnCzwQPzZ5uWu63orIcj0Deg==\n-----END PUBLIC KEY-----\n\n\nopenssl x509 -in /etc/cfssl/servercerts/server.centminmod.com.pem -text -noout\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            49:73:b2:15:c3:b4:44:b3:cf:90:45:1f:fc:94:d3:b0:38:14:ba:de\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Validity\n            Not Before: Sep 15 04:43:00 2020 GMT\n            Not After : Sep 13 04:43:00 2030 GMT\n        Subject: C=US, ST=CA, L=San Francisco, CN=server.centminmod.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:93:30:82:a8:d8:c8:5e:8b:76:85:d2:75:a3:43:\n                    64:2d:14:0f:15:f6:f1:55:44:3a:f2:8f:67:bb:0c:\n                    a8:b8:07:b9:59:a3:ea:06:c4:2f:3b:0c:f9:59:ed:\n                    66:f2:f0:a7:0b:3c:10:3f:36:79:b9:6b:ba:de:8a:\n                    c8:72:3d:03:7a\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment\n            X509v3 Extended Key Usage: \n                TLS Web Server Authentication\n            X509v3 Basic Constraints: critical\n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                4F:50:0B:DB:AC:B4:E6:60:AA:95:4B:9D:50:DB:61:15:AF:31:B8:B0\n            X509v3 Authority Key Identifier: \n                keyid:81:69:15:57:BD:6C:FE:E4:88:3D:AA:89:FB:30:8A:02:52:B6:30:E8\n\n            X509v3 Subject Alternative Name: \n                DNS:server.centminmod.com\n    Signature Algorithm: ecdsa-with-SHA256\n         30:46:02:21:00:b0:94:9e:7b:03:bb:18:a7:f8:d6:40:4c:9d:\n         46:c2:55:8d:51:12:d3:f5:37:9f:9d:62:76:9e:49:34:56:5b:\n         6d:02:21:00:e0:3c:0d:40:e0:05:1b:53:34:f4:30:5e:17:7e:\n         92:2b:b2:b7:f2:31:65:1b:8f:38:33:97:0f:a1:5e:cd:18:ba\n\nserver cert: /etc/cfssl/servercerts/server.centminmod.com.pem\nserver private key: /etc/cfssl/servercerts/server.centminmod.com-key.pem\nserver public key: /etc/cfssl/servercerts/server.centminmod.com-publickey.pem\nserver csr: /etc/cfssl/servercerts/server.centminmod.com.csr\nserver csr profile: /etc/cfssl/servercerts/server.centminmod.com.csr.json\n\nNginx SSL configuration paramaters:\nssl_certificate      /etc/cfssl/servercerts/server.centminmod.com.pem;\nssl_certificate_key  /etc/cfssl/servercerts/server.centminmod.com-key.pem;\n\n{\n  \"subject\": {\n    \"common_name\": \"server.centminmod.com\",\n    \"country\": \"US\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"server.centminmod.com\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"serial_number\": \"419336425360932331656433753806248196894946015966\",\n  \"sans\": [\n    \"server.centminmod.com\"\n  ],\n  \"not_before\": \"2020-09-15T04:43:00Z\",\n  \"not_after\": \"2030-09-13T04:43:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"81:69:15:57:BD:6C:FE:E4:88:3D:AA:89:FB:30:8A:02:52:B6:30:E8\",\n  \"subject_key_id\": \"4F:50:0B:DB:AC:B4:E6:60:AA:95:4B:9D:50:DB:61:15:AF:31:B8:B0\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIICVDxxxxxxmgAwIBAgIUSXOyFcO0RLPPkEUf/JTTsDgUut4wCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMDA5MTUwNDQzMDBaFw0zMDA5MTMwNDQzMDBaMFIxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEeMBwG\\nA1UEAxMVc2VydmVyLmNlbnRtaW5tb2QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D\\nAQcDQgAEkzCCqNjIXot2hdJ1o0NkLRQPFfbxVUQ68o9nuwyouAe5WaPqBsQvOwz5\\nWe1m8vCnCzwQPzZ5uWu63orIcj0DeqOBmDCBlTAOBgNVHQ8BAf8EBAMCBaAwEwYD\\nVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUT1AL26y0\\n5mCqlUudUNthFa8xuLAwHwYDVR0jBBgwFoAUgWkVV71s/uSIPaqJ+zCKAlK2MOgw\\nIAYDVR0RBBkwF4IVc2VydmVyLmNlbnRtaW5tb2QuY29tMAoGCCqGSM49BAMCA0kA\\nMEYCIQCwlJ57A7sYp/jWQEydRsJVjVES0/U3n51idp5JNFZbbQIhAOA8DUDgBRtT\\nNPQwXhd+kiuyt/IxZRuPODOXD6FezRi6\\n-----END CERTIFICATE-----\\n\"\n}\n\nverify certificate\n\nopenssl verify -CAfile /etc/cfssl/centminmod.com-ca-bundle.pem /etc/cfssl/servercerts/server.centminmod.com.pem\n/etc/cfssl/servercerts/server.centminmod.com.pem: OK\n\nCleanup script created: /etc/cfssl/cleanup/remove-servercert-server.centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-servercert-server.centminmod.com.sh\n```\n\n# Client SSL Certificate\n\nGenerate self-signed client SSL certificate with CA signing for centminmod.com with `TLS Web Client Authentication`\n\n* client pkcs12: /etc/cfssl/clientcerts/centminmod.com.p12\n* client cert: /etc/cfssl/clientcerts/centminmod.com.pem\n* client private key: /etc/cfssl/clientcerts/centminmod.com-key.pem\n* client public key: /etc/cfssl/clientcerts/centminmod.com-publickey.pem\n* client csr: /etc/cfssl/clientcerts/centminmod.com.csr\n* client csr profile: /etc/cfssl/clientcerts/centminmod.com.csr.json\n* cleanup certs script: /etc/cfssl/cleanup/remove-clientcert-centminmod.com.sh\n\nIncluded in output are Cloudflare API instructions for uploading the generated client SSL certificate to Cloudflare for use on a custom hostname configured Cloudflare Authenticated Origin Pull certificate as outlined at [https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates). Example for [Cloudflare Authenticated Origin Pull custom apex domain client TLS certificates](#cloudflare-authenticated-origin-pull-custom-apex-domain-client-tls-certificate-upload) and [Cloudflare Authenticated Origin pull custom per hostname client TLS certificates](#cloudflare-authenticated-origin-pull-custom-hostname-domain-client-tls-certificate-upload).\n\n\u003e ​Per-Hostname Authenticated Origin Pull using customer certificates {#per-hostname}\n\u003e When enabling Authenticated Origin Pull per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. Customers can use client certificates from their Private PKI to authenticate connections from Cloudflare.\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-client centminmod.com 87600 www centminmod.com\n\ncfssl gencert -config /etc/cfssl/profile.json -profile client -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.com-ca-intermediate-key.pem centminmod.com.csr.json \u003e centminmod.com.json\n2022/05/24 16:56:17 [INFO] generate received request\n2022/05/24 16:56:17 [INFO] received CSR\n2022/05/24 16:56:17 [INFO] generating key: ecdsa-256\n2022/05/24 16:56:17 [INFO] encoded CSR\n2022/05/24 16:56:17 [INFO] signed certificate with serial number 364027147676626726289571183730041490650282141970\n\ncfssljson -f centminmod.com.json -bare centminmod.com\n\nExtract client certificate public key: /etc/cfssl/clientcerts/centminmod.com-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/clientcerts/centminmod.com.pem \u003e /etc/cfssl/clientcerts/centminmod.com-publickey.pem\ncat /etc/cfssl/clientcerts/centminmod.com-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElx6Pi1nWSy9BNQ+xfC1HNuEnTvHb\nmX3eKoWmysv5hHMZlGAIjmsHGNKaEPiNcdaQpvlqs6GvQligtgudIvWXbw==\n-----END PUBLIC KEY-----\n\n\nopenssl x509 -in /etc/cfssl/clientcerts/centminmod.com.pem -text -noout\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            3f:c3:8a:b7:19:7c:fa:fc:65:df:c8:c2:67:ae:09:91:ca:19:29:12\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Validity\n            Not Before: May 24 16:51:00 2022 GMT\n            Not After : May 21 16:51:00 2032 GMT\n        Subject: C=US, ST=CA, L=San Francisco, CN=centminmod.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:97:1e:8f:8b:59:d6:4b:2f:41:35:0f:b1:7c:2d:\n                    47:36:e1:27:4e:f1:db:99:7d:de:2a:85:a6:ca:cb:\n                    f9:84:73:19:94:60:08:8e:6b:07:18:d2:9a:10:f8:\n                    8d:71:d6:90:a6:f9:6a:b3:a1:af:42:58:a0:b6:0b:\n                    9d:22:f5:97:6f\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment\n            X509v3 Extended Key Usage: \n                TLS Web Client Authentication\n            X509v3 Basic Constraints: critical\n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                07:1A:1B:12:FE:1E:7A:CC:8F:14:E9:B7:FB:76:F0:1C:AD:BD:9D:4E\n            X509v3 Authority Key Identifier: \n                keyid:06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\n\n            X509v3 Subject Alternative Name: \n                DNS:centminmod.com, DNS:www.centminmod.com\n    Signature Algorithm: ecdsa-with-SHA256\n         30:45:02:21:00:fe:0a:76:52:2f:84:bb:8d:da:b8:66:2a:5d:\n         7b:7a:71:00:89:36:a1:f7:54:be:1d:98:ba:86:93:e4:19:07:\n         96:02:20:23:4b:ca:51:64:28:7c:fa:16:ea:f0:7e:54:c2:ee:\n         d0:c0:1c:5c:38:26:93:3e:a2:5f:dc:13:1c:d5:64:ed:43\n\nGenerate pkcs12 format\nopenssl pkcs12 -export -out /etc/cfssl/clientcerts/centminmod.com.p12 -inkey /etc/cfssl/clientcerts/centminmod.com-key.pem -in /etc/cfssl/clientcerts/centminmod.com.pem -certfile /etc/cfssl/centminmod.com-ca-bundle.pem -passin pass: -passout pass:\n\nclient pkcs12: /etc/cfssl/clientcerts/centminmod.com.p12\nclient cert: /etc/cfssl/clientcerts/centminmod.com.pem\nclient private key: /etc/cfssl/clientcerts/centminmod.com-key.pem\nclient public key: /etc/cfssl/clientcerts/centminmod.com-publickey.pem\nclient csr: /etc/cfssl/clientcerts/centminmod.com.csr\nclient csr profile: /etc/cfssl/clientcerts/centminmod.com.csr.json\n\nGenerate /etc/cfssl/clientcerts/centminmod.com-client-bundle.pem\ncat /etc/cfssl/clientcerts/centminmod.com.pem /etc/cfssl/centminmod.com-ca-bundle.pem \u003e /etc/cfssl/clientcerts/centminmod.com-client-bundle.pem\nclient bundle chain: /etc/cfssl/clientcerts/centminmod.com-client-bundle.pem\n\n\nCheck certificate purpose:\nopenssl x509 -in /etc/cfssl/clientcerts/centminmod.com.pem -noout -purpose\nCertificate purposes:\nSSL client : Yes\nSSL client CA : No\nSSL server : No\nSSL server CA : No\nNetscape SSL server : No\nNetscape SSL server CA : No\nS/MIME signing : No\nS/MIME signing CA : No\nS/MIME encryption : No\nS/MIME encryption CA : No\nCRL signing : No\nCRL signing CA : No\nAny Purpose : Yes\nAny Purpose CA : Yes\nOCSP helper : Yes\nOCSP helper CA : No\nTime Stamp signing : No\nTime Stamp signing CA : No\n\n{\n  \"subject\": {\n    \"common_name\": \"centminmod.com\",\n    \"country\": \"US\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"centminmod.com\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"serial_number\": \"364027147676626726289571183730041490650282141970\",\n  \"sans\": [\n    \"centminmod.com\",\n    \"www.centminmod.com\"\n  ],\n  \"not_before\": \"2022-05-24T16:51:00Z\",\n  \"not_after\": \"2032-05-21T16:51:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\",\n  \"subject_key_id\": \"07:1A:1B:12:FE:1E:7A:CC:8F:14:E9:B7:FB:76:F0:1C:AD:BD:9D:4E\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIICUxxxfagAwIBAgIUP8OKtxl8+vxl38jCZ64JkcoZKRIwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjUxMDBaFw0zMjA1MjExNjUxMDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXHo+L\\nWdZLL0E1D7F8LUc24SdO8duZfd4qhabKy/mEcxmUYAiOawcY0poQ+I1x1pCm+Wqz\\noa9CWKC2C50i9Zdvo4GfMIGcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHGhsS/h56zI8U6bf7dvAc\\nrb2dTjAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAnBgNVHREEIDAe\\nggtjZW50bWluLmRldoIPd3d3LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUC\\nIQD+CnZSL4S7jdq4Zipde3pxAIk2ofdUvh2YuoaT5BkHlgIgI0vKUWQofPoW6vB+\\nVMLu0MAcXDgmkz6iX9wTHNVk7UM=\\n-----END CERTIFICATE-----\\n\"\n}\n\nopenssl verify -CAfile /etc/cfssl/centminmod.com-ca-bundle.pem /etc/cfssl/clientcerts/centminmod.com.pem\n/etc/cfssl/clientcerts/centminmod.com.pem: OK\n\n---------------------------------------------------------------------------\nFor Cloudflare custom Authenticated Origin Pull Client Certificate API Upload\n---------------------------------------------------------------------------\n- https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates\n- https://api.cloudflare.com/#per-hostname-authenticated-origin-pull-upload-a-hostname-client-certificate\n\npopulate variables\n\nMYCERT=$(cfssl-certinfo -cert /etc/cfssl/clientcerts/centminmod.com.pem | jq '.pem' | sed -e 's|\"||g')\nMYKEY=$(cat /etc/cfssl/clientcerts/centminmod.com-key.pem | perl -pe 's/\\r?\\n/\\\\n/'|sed -e's/..$//')\nrequest_body=\"{ \\\"certificate\\\": \\\"$MYCERT\\\", \\\"private_key\\\": \\\"$MYKEY\\\" }\" \n\nexport cfzoneid=cf_zone_id\nexport cfemail=cf_account_email\nexport cftoken=cf_account_global_api_keytoken\nexport cf_hostname=domain_name_on_ssl_certificate\n\n---------------------------------------------------------------------------\nUpload TLS client certificate via CF API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates\n\ncurl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt\n\nOr for apex non-subdomains i.e. domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#zone-level--customer-certificates\n\ncurl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt\n\nexport clientcert_id=$(jq -r '.result.id' /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt)\necho \"$clientcert_id\" \u003e /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-clientcert-id.txt\n\n---------------------------------------------------------------------------\nCheck uploaded TLS client certificate via CF API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n\nOr for apex non-subdomains i.e. domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#zone-level--customer-certificates\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n\n---------------------------------------------------------------------------\nTo delete uploaded TLS client certificate via CF API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX DELETE \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-delete.txt\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX DELETE \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-delete.txt\n\n---------------------------------------------------------------------------\nEnable specific hostname Authenticated Origin Pull via Cloudflare API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d $(jq -c -n --arg cf_hostname $cf_hostname --arg clientcert_id $clientcert_id $(echo \"{\\\"config\\\":[{\\\"hostname\\\":\\\"$cf_hostname\\\",\\\"cert_id\\\":\\\"$clientcert_id\\\",\\\"enabled\\\":true}]}\")) | jq\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d '{\"enabled\":true}' | jq\n\n---------------------------------------------------------------------------\nDisable specific hostname Authenticated Origin Pull via Cloudflare API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d $(jq -c -n --arg cf_hostname $cf_hostname --arg clientcert_id $clientcert_id $(echo \"{\\\"config\\\":[{\\\"hostname\\\":\\\"$cf_hostname\\\",\\\"cert_id\\\":\\\"$clientcert_id\\\",\\\"enabled\\\":false}]}\")) | jq\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d '{\"enabled\":false}' | jq\n\n---------------------------------------------------------------------------\nCheck CF Status for specific hostname Authenticated Origin Pull via Cloudflare API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/$cf_hostname\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n\n---------------------------------------------------------------------------\nList uploaded Origin TLS Client Authenticatied Certificates\n---------------------------------------------------------------------------\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n\nCleanup script created: /etc/cfssl/cleanup/remove-clientcert-centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-clientcert-centminmod.com.sh\n```\n\n# Cloudflare Authenticated Origin Pull Custom Apex Domain Client TLS Certificate Upload\n\nAn example of Cloudflare Authenticated Origin Pull certificate using custom apex domain.\n\nUploading via Cloudflare API a custom apex domain client TLS certificate created and signed with previous created CA intermediate root certificate:\n\n```\nMYCERT=$(cfssl-certinfo -cert /etc/cfssl/clientcerts/centminmod.com.pem | jq '.pem' | sed -e 's|\"||g')\nMYKEY=$(cat /etc/cfssl/clientcerts/centminmod.com-key.pem | perl -pe 's/\\r?\\n/\\\\n/'|sed -e's/..$//')\nrequest_body=\"{ \\\"certificate\\\": \\\"$MYCERT\\\", \\\"private_key\\\": \\\"$MYKEY\\\" }\" \n\nexport cfzoneid=cf_zone_id\nexport cfemail=cf_account_email\nexport cftoken=cf_account_global_api_keytoken\nexport cf_hostname=centminmod.com\n\ncurl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"d5035326-5385-4ec3-b77d-d1a122cf3283\",\n    \"status\": \"pending_deployment\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"364027147676626726289571183730041490650282141970\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICUxxxfagAwIBAgIUP8OKtxl8+vxl38jCZ64JkcoZKRIwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjUxMDBaFw0zMjA1MjExNjUxMDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXHo+L\\nWdZLL0E1D7F8LUc24SdO8duZfd4qhabKy/mEcxmUYAiOawcY0poQ+I1x1pCm+Wqz\\noa9CWKC2C50i9Zdvo4GfMIGcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHGhsS/h56zI8U6bf7dvAc\\nrb2dTjAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAnBgNVHREEIDAe\\nggtjZW50bWluLmRldoIPd3d3LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUC\\nIQD+CnZSL4S7jdq4Zipde3pxAIk2ofdUvh2YuoaT5BkHlgIgI0vKUWQofPoW6vB+\\nVMLu0MAcXDgmkz6iX9wTHNVk7UM=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T16:57:16.801883Z\",\n    \"updated_at\": \"2022-05-24T16:57:16.801883Z\",\n    \"expires_on\": \"2032-05-21T16:51:00Z\"\n  }\n}\n```\n\nVerifying final status and getting info for uploaded custom apex domain client TLS certificate:\n\n```\nexport clientcert_id=$(jq -r '.result.id' /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt)\necho \"$clientcert_id\" \u003e /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-clientcert-id.txt\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"d5035326-5385-4ec3-b77d-d1a122cf3283\",\n    \"status\": \"active\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"364027147676626726289571183730041490650282141970\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICUxxxfagAwIBAgIUP8OKtxl8+vxl38jCZ64JkcoZKRIwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjUxMDBaFw0zMjA1MjExNjUxMDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXHo+L\\nWdZLL0E1D7F8LUc24SdO8duZfd4qhabKy/mEcxmUYAiOawcY0poQ+I1x1pCm+Wqz\\noa9CWKC2C50i9Zdvo4GfMIGcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHGhsS/h56zI8U6bf7dvAc\\nrb2dTjAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAnBgNVHREEIDAe\\nggtjZW50bWluLmRldoIPd3d3LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUC\\nIQD+CnZSL4S7jdq4Zipde3pxAIk2ofdUvh2YuoaT5BkHlgIgI0vKUWQofPoW6vB+\\nVMLu0MAcXDgmkz6iX9wTHNVk7UM=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T16:57:16.801883Z\",\n    \"expires_on\": \"2032-05-21T16:51:00Z\"\n  }\n}\n```\n\nEnabling Cloudflare Authenticated Origin Pull with custom apex domain client TLS certificate at the zone level:\n\n```\nexport cfzoneid=cf_zone_id\nexport cfemail=cf_account_email\nexport cftoken=cf_account_global_api_keytoken\n\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d '{\"enabled\":true}' | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"enabled\": true\n  }\n}\n```\n\nChecking status for Cloudflare Authenticated Origin Pull with custom apex domain client TLS certificate at the zone level:\n\n```\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"enabled\": true\n  }\n}\n```\n\nDisable Cloudflare Authenticated Origin Pull with custom apex domain client TLS certificate at the zone level:\n\n```\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d '{\"enabled\":false}' | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"enabled\": false\n  }\n}\n```\nDelete Cloudflare Authenticated Origin Pull with custom apex domain client TLS certificate at the zone level:\n\n```\ncurl -sX DELETE \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/centminmod.com-cf-origin-tls-cleint-auth-cert-upload-delete.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"d5035326-5385-4ec3-b77d-d1a122cf3283\",\n    \"status\": \"pending_deletion\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"364027147676626726289571183730041490650282141970\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICUDxxxxxxagAwIBAgIUP8OKtxl8+vxl38jCZ64JkcoZKRIwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjUxMDBaFw0zMjA1MjExNjUxMDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXHo+L\\nWdZLL0E1D7F8LUc24SdO8duZfd4qhabKy/mEcxmUYAiOawcY0poQ+I1x1pCm+Wqz\\noa9CWKC2C50i9Zdvo4GfMIGcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHGhsS/h56zI8U6bf7dvAc\\nrb2dTjAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAnBgNVHREEIDAe\\nggtjZW50bWluLmRldoIPd3d3LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUC\\nIQD+CnZSL4S7jdq4Zipde3pxAIk2ofdUvh2YuoaT5BkHlgIgI0vKUWQofPoW6vB+\\nVMLu0MAcXDgmkz6iX9wTHNVk7UM=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T16:57:16.801883Z\",\n    \"expires_on\": \"2032-05-21T16:51:00Z\"\n  }\n}\n```\n\nVerify deletion:\n\n```\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"d5035326-5385-4ec3-b77d-d1a122cf3283\",\n    \"status\": \"deleted\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"364027147676626726289571183730041490650282141970\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICUDxxxxxxagAwIBAgIUP8OKtxl8+vxl38jCZ64JkcoZKRIwCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNjUxMDBaFw0zMjA1MjExNjUxMDBaMEgxCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEUMBIG\\nA1UEAxMLY2VudG1pbi5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASXHo+L\\nWdZLL0E1D7F8LUc24SdO8duZfd4qhabKy/mEcxmUYAiOawcY0poQ+I1x1pCm+Wqz\\noa9CWKC2C50i9Zdvo4GfMIGcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\\nBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQHGhsS/h56zI8U6bf7dvAc\\nrb2dTjAfBgNVHSMEGDAWgBQGaefF8v06LjDXH31/ud6bUrnUdzAnBgNVHREEIDAe\\nggtjZW50bWluLmRldoIPd3d3LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUC\\nIQD+CnZSL4S7jdq4Zipde3pxAIk2ofdUvh2YuoaT5BkHlgIgI0vKUWQofPoW6vB+\\nVMLu0MAcXDgmkz6iX9wTHNVk7UM=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T16:57:16.801883Z\",\n    \"expires_on\": \"2032-05-21T16:51:00Z\"\n  }\n}\n```\n\nGenerate self-signed client SSL certificate with CA signing for client.centminmod.com subdomain with `TLS Web Client Authentication`\n\n* client pkcs12: /etc/cfssl/clientcerts/client.centminmod.com.p12\n* client cert: /etc/cfssl/clientcerts/client.centminmod.com.pem\n* client private key: /etc/cfssl/clientcerts/client.centminmod.com-key.pem\n* client public key: /etc/cfssl/clientcerts/client.centminmod.com-publickey.pem\n* client csr: /etc/cfssl/clientcerts/client.centminmod.com.csr\n* client csr profile: /etc/cfssl/clientcerts/client.centminmod.com.csr.json\n\nIncluded in output are Cloudflare API instructions for uploading the generated client SSL certificate to Cloudflare for use on a custom hostname configured Cloudflare Authenticated Origin Pull certificate as outlined at [https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates). An example for [Cloudflare Authenticated Origin pull custom per hostname client TLS certificates](#cloudflare-authenticated-origin-pull-custom-hostname-domain-client-tls-certificate-upload).\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-client centminmod.com 87600 client centminmod.com\n\ncfssl gencert -config /etc/cfssl/profile.json -profile client -cn client.centminmod.com -hostname client.centminmod.com -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.comca-intermediate-key.pem client.centminmod.com.csr.json \u003e client.centminmod.com.json\n2022/05/24 17:55:36 [INFO] generate received request\n2022/05/24 17:55:36 [INFO] received CSR\n2022/05/24 17:55:36 [INFO] generating key: ecdsa-256\n2022/05/24 17:55:36 [INFO] encoded CSR\n2022/05/24 17:55:36 [INFO] signed certificate with serial number 584692600676493439512096317492143492518858226170\n\ncfssljson -f client.centminmod.com.json -bare client.centminmod.com\n\nExtract client certificate public key: /etc/cfssl/clientcerts/client.centminmod.com-publickey.pem\nopenssl x509 -pubkey -noout -in /etc/cfssl/clientcerts/client.centminmod.com.pem \u003e /etc/cfssl/clientcerts/client.centminmod.com-publickey.pem\ncat /etc/cfssl/clientcerts/client.centminmod.com-publickey.pem\n\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKxxxxxj0CAQYIKxxxxxj0DAQcDQgAEXyp84zF8aQN+NgYz9R0ybj3WUtob\nIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVcorJj1WT8VGVsGoPEoFAFCgTWDEA==\n-----END PUBLIC KEY-----\n\n\nopenssl x509 -in /etc/cfssl/clientcerts/client.centminmod.com.pem -text -noout\n\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            66:6a:85:e2:a8:32:bb:23:4d:af:05:63:cf:32:cd:1c:06:c8:79:fa\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: C=US, ST=CA, L=San Francisco, OU=Intermediate CA, CN=Intermediate CA\n        Validity\n            Not Before: May 24 17:51:00 2022 GMT\n            Not After : May 21 17:51:00 2032 GMT\n        Subject: C=US, ST=CA, L=San Francisco, CN=client.centminmod.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (256 bit)\n                pub: \n                    04:5f:2a:7c:e3:31:7c:69:03:7e:36:06:33:f5:1d:\n                    32:6e:3d:d6:52:da:1b:21:6f:95:47:ef:12:9f:c5:\n                    ea:11:cb:cb:90:a4:87:21:b9:04:f1:dd:10:c5:57:\n                    28:ac:98:f5:59:3f:15:19:5b:06:a0:f1:28:14:01:\n                    42:81:35:83:10\n                ASN1 OID: prime256v1\n                NIST CURVE: P-256\n        X509v3 extensions:\n            X509v3 Key Usage: critical\n                Digital Signature, Key Encipherment\n            X509v3 Extended Key Usage: \n                TLS Web Client Authentication\n            X509v3 Basic Constraints: critical\n                CA:FALSE\n            X509v3 Subject Key Identifier: \n                DE:75:63:31:0C:51:5C:76:D9:E0:C1:C3:10:7C:8A:3B:DF:8B:08:02\n            X509v3 Authority Key Identifier: \n                keyid:06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\n\n            X509v3 Subject Alternative Name: \n                DNS:client.centminmod.com\n    Signature Algorithm: ecdsa-with-SHA256\n         30:45:02:20:26:cd:c1:c2:13:39:6c:45:20:98:66:76:53:5a:\n         8b:a6:94:93:69:eb:1f:84:eb:1c:c1:38:6a:1c:17:81:1d:3f:\n         02:21:00:c2:c3:c0:e2:e4:1b:84:a0:c3:0a:c9:97:d2:9f:fa:\n         cc:2e:91:0b:17:73:2a:85:36:bd:07:a3:ed:05:30:74:d7\n\nGenerate pkcs12 format\nopenssl pkcs12 -export -out /etc/cfssl/clientcerts/client.centminmod.com.p12 -inkey /etc/cfssl/clientcerts/client.centminmod.com-key.pem -in /etc/cfssl/clientcerts/client.centminmod.com.pem -certfile /etc/cfssl/centminmod.com-ca-bundle.pem -passin pass: -passout pass:\n\nclient pkcs12: /etc/cfssl/clientcerts/client.centminmod.com.p12\nclient cert: /etc/cfssl/clientcerts/client.centminmod.com.pem\nclient private key: /etc/cfssl/clientcerts/client.centminmod.com-key.pem\nclient public key: /etc/cfssl/clientcerts/client.centminmod.com-publickey.pem\nclient csr: /etc/cfssl/clientcerts/client.centminmod.com.csr\nclient csr profile: /etc/cfssl/clientcerts/client.centminmod.com.csr.json\n\nGenerate /etc/cfssl/clientcerts/client.centminmod.com-client-bundle.pem\ncat /etc/cfssl/clientcerts/client.centminmod.com.pem /etc/cfssl/centminmod.com-ca-bundle.pem \u003e /etc/cfssl/clientcerts/client.centminmod.com-client-bundle.pem\nclient bundle chain: /etc/cfssl/clientcerts/client.centminmod.com-client-bundle.pem\n\n\nCheck certificate purpose:\nopenssl x509 -in /etc/cfssl/clientcerts/client.centminmod.com.pem -noout -purpose\nCertificate purposes:\nSSL client : Yes\nSSL client CA : No\nSSL server : No\nSSL server CA : No\nNetscape SSL server : No\nNetscape SSL server CA : No\nS/MIME signing : No\nS/MIME signing CA : No\nS/MIME encryption : No\nS/MIME encryption CA : No\nCRL signing : No\nCRL signing CA : No\nAny Purpose : Yes\nAny Purpose CA : Yes\nOCSP helper : Yes\nOCSP helper CA : No\nTime Stamp signing : No\nTime Stamp signing CA : No\n\n{\n  \"subject\": {\n    \"common_name\": \"client.centminmod.com\",\n    \"country\": \"US\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"client.centminmod.com\"\n    ]\n  },\n  \"issuer\": {\n    \"common_name\": \"Intermediate CA\",\n    \"country\": \"US\",\n    \"organizational_unit\": \"Intermediate CA\",\n    \"locality\": \"San Francisco\",\n    \"province\": \"CA\",\n    \"names\": [\n      \"US\",\n      \"CA\",\n      \"San Francisco\",\n      \"Intermediate CA\",\n      \"Intermediate CA\"\n    ]\n  },\n  \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n  \"sans\": [\n    \"client.centminmod.com\"\n  ],\n  \"not_before\": \"2022-05-24T17:51:00Z\",\n  \"not_after\": \"2032-05-21T17:51:00Z\",\n  \"sigalg\": \"ECDSAWithSHA256\",\n  \"authority_key_id\": \"06:69:E7:C5:F2:FD:3A:2E:30:D7:1F:7D:7F:B9:DE:9B:52:B9:D4:77\",\n  \"subject_key_id\": \"DE:75:63:31:0C:51:5C:76:D9:E0:C1:C3:10:7C:8A:3B:DF:8B:08:02\",\n  \"pem\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKxxxxxj0EAwIw\\nZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKxxxxxj0CAQYIKxxxxxj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\"\n}\n\nopenssl verify -CAfile /etc/cfssl/centminmod.com-ca-bundle.pem /etc/cfssl/clientcerts/client.centminmod.com.pem\n/etc/cfssl/clientcerts/client.centminmod.com.pem: OK\n\n---------------------------------------------------------------------------\nFor Cloudflare custom Authenticated Origin Pull Client Certificate API Upload\n---------------------------------------------------------------------------\n- https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates\n- https://api.cloudflare.com/#per-hostname-authenticated-origin-pull-upload-a-hostname-client-certificate\n\npopulate variables\n\nMYCERT=$(cfssl-certinfo -cert /etc/cfssl/clientcerts/client.centminmod.com.pem | jq '.pem' | sed -e 's|\"||g')\nMYKEY=$(cat /etc/cfssl/clientcerts/client.centminmod.com-key.pem | perl -pe 's/\\r?\\n/\\\\n/'|sed -e's/..$//')\nrequest_body=\"{ \\\"certificate\\\": \\\"$MYCERT\\\", \\\"private_key\\\": \\\"$MYKEY\\\" }\" \n\nexport cfzoneid=cf_zone_id\nexport cfemail=cf_account_email\nexport cftoken=cf_account_global_api_keytoken\nexport cf_hostname=domain_name_on_ssl_certificate\n\n---------------------------------------------------------------------------\nUpload TLS client certificate via CF API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates\n\ncurl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt\n\nOr for apex non-subdomains i.e. domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#zone-level--customer-certificates\n\ncurl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt\n\nexport clientcert_id=$(jq -r '.result.id' /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt)\necho \"$clientcert_id\" \u003e /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-clientcert-id.txt\n\n---------------------------------------------------------------------------\nCheck uploaded TLS client certificate via CF API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#per-hostname--customer-certificates\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n\nOr for apex non-subdomains i.e. domain.com\nhttps://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/#zone-level--customer-certificates\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n\n---------------------------------------------------------------------------\nTo delete uploaded TLS client certificate via CF API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX DELETE \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-delete.txt\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX DELETE \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-delete.txt\n\n---------------------------------------------------------------------------\nEnable specific hostname Authenticated Origin Pull via Cloudflare API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d $(jq -c -n --arg cf_hostname $cf_hostname --arg clientcert_id $clientcert_id $(echo \"{\\\"config\\\":[{\\\"hostname\\\":\\\"$cf_hostname\\\",\\\"cert_id\\\":\\\"$clientcert_id\\\",\\\"enabled\\\":true}]}\")) | jq\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d '{\"enabled\":true}' | jq\n\n---------------------------------------------------------------------------\nDisable specific hostname Authenticated Origin Pull via Cloudflare API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d $(jq -c -n --arg cf_hostname $cf_hostname --arg clientcert_id $clientcert_id $(echo \"{\\\"config\\\":[{\\\"hostname\\\":\\\"$cf_hostname\\\",\\\"cert_id\\\":\\\"$clientcert_id\\\",\\\"enabled\\\":false}]}\")) | jq\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d '{\"enabled\":false}' | jq\n\n---------------------------------------------------------------------------\nCheck CF Status for specific hostname Authenticated Origin Pull via Cloudflare API\n---------------------------------------------------------------------------\n\nFor custom hostname/subdomains i.e. hostname.domain.com or subdomain.domain.com\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/$cf_hostname\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n\nOr for apex non-subdomains i.e. domain.com\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/settings\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n\n---------------------------------------------------------------------------\nList uploaded Origin TLS Client Authenticatied Certificates\n---------------------------------------------------------------------------\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n\nCleanup script created: /etc/cfssl/cleanup/remove-clientcert-client.centminmod.com.sh\nTo clean up run: bash /etc/cfssl/cleanup/remove-clientcert-client.centminmod.com.sh\n```\n\n# Cloudflare Authenticated Origin Pull Custom Hostname Domain Client TLS Certificate Upload\n\nAn example of Cloudflare Authenticated Origin Pull certificate using custom hostname domain.\n\nUploading via Cloudflare API a custom hostname domain client TLS certificate created and signed with previous created CA intermediate root certificate:\n\n```\nMYCERT=$(cfssl-certinfo -cert /etc/cfssl/clientcerts/client.centminmod.com.pem | jq '.pem' | sed -e 's|\"||g')\nMYKEY=$(cat /etc/cfssl/clientcerts/client.centminmod.com-key.pem | perl -pe 's/\\r?\\n/\\\\n/'|sed -e's/..$//')\nrequest_body=\"{ \\\"certificate\\\": \\\"$MYCERT\\\", \\\"private_key\\\": \\\"$MYKEY\\\" }\" \n\nexport cfzoneid=cf_zone_id\nexport cfemail=cf_account_email\nexport cftoken=cf_account_global_api_keytoken\nexport cf_hostname=client.centminmod.com\n\ncurl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n    \"status\": \"pending_deployment\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n    \"updated_at\": \"2022-05-24T18:03:17.950644Z\",\n    \"expires_on\": \"2032-05-21T17:51:00Z\"\n  }\n}\n```\n\nVerifying final status and getting info for uploaded custom hostname domain client TLS certificate:\n\n```\nexport clientcert_id=$(jq -r '.result.id' /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload.txt)\necho \"$clientcert_id\" \u003e /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-clientcert-id.txt\n\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n    \"status\": \"active\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n    \"expires_on\": \"2032-05-21T17:51:00Z\"\n  }\n}\n```\n\nEnabling Cloudflare Authenticated Origin Pull with custom hostname domain client TLS certificate at the zone level:\n\n```\nexport cfzoneid=cf_zone_id\nexport cfemail=cf_account_email\nexport cftoken=cf_account_global_api_keytoken\n\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d $(jq -c -n --arg cf_hostname $cf_hostname --arg clientcert_id $clientcert_id $(echo \"{\\\"config\\\":[{\\\"hostname\\\":\\\"$cf_hostname\\\",\\\"cert_id\\\":\\\"$clientcert_id\\\",\\\"enabled\\\":true}]}\")) | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": [\n    {\n      \"hostname\": \"client.centminmod.com\",\n      \"cert_id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n      \"enabled\": true,\n      \"status\": \"pending_deployment\",\n      \"created_at\": \"2022-05-24T18:08:10.64646Z\",\n      \"updated_at\": \"2022-05-24T18:08:10.64646Z\",\n      \"cert_status\": \"active\",\n      \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n      \"signature\": \"ECDSA-SHA256\",\n      \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n      \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n      \"cert_uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n      \"cert_updated_at\": \"2022-05-24T18:03:18.670801Z\",\n      \"expires_on\": \"2032-05-21T17:51:00Z\"\n    }\n  ]\n}\n```\n\nChecking status for Cloudflare Authenticated Origin Pull with custom hostname domain client TLS certificate at the zone level:\n\n```\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/$cf_hostname\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"hostname\": \"client.centminmod.com\",\n    \"cert_id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n    \"enabled\": true,\n    \"status\": \"active\",\n    \"created_at\": \"2022-05-24T18:08:10.64646Z\",\n    \"updated_at\": \"2022-05-24T18:08:12.059714Z\",\n    \"cert_status\": \"active\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n    \"cert_uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n    \"cert_updated_at\": \"2022-05-24T18:03:18.670801Z\",\n    \"expires_on\": \"2032-05-21T17:51:00Z\"\n  }\n}\n```\n\nDisable Cloudflare Authenticated Origin Pull with custom hostname domain client TLS certificate at the zone level:\n\n```\ncurl -sX PUT https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d $(jq -c -n --arg cf_hostname $cf_hostname --arg clientcert_id $clientcert_id $(echo \"{\\\"config\\\":[{\\\"hostname\\\":\\\"$cf_hostname\\\",\\\"cert_id\\\":\\\"$clientcert_id\\\",\\\"enabled\\\":false}]}\")) | jq\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": [\n    {\n      \"hostname\": \"client.centminmod.com\",\n      \"cert_id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n      \"enabled\": false,\n      \"status\": \"pending_deployment\",\n      \"created_at\": \"0001-01-01T00:00:00Z\",\n      \"updated_at\": \"2022-05-24T18:09:59.585901Z\",\n      \"cert_status\": \"active\",\n      \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n      \"signature\": \"ECDSA-SHA256\",\n      \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n      \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n      \"cert_uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n      \"cert_updated_at\": \"2022-05-24T18:03:18.670801Z\",\n      \"expires_on\": \"2032-05-21T17:51:00Z\"\n    }\n  ]\n}\n```\nDelete Cloudflare Authenticated Origin Pull with custom hostname domain client TLS certificate at the zone level:\n\n```\ncurl -sX DELETE \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-delete.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n    \"status\": \"pending_deletion\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n    \"expires_on\": \"2032-05-21T17:51:00Z\"\n  }\n}\n```\n\nVerify deletion:\n\n```\ncurl -sX GET \"https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates/$clientcert_id\" -H \"X-Auth-Email: $cfemail\" -H \"X-Auth-Key: $cftoken\" -H \"Content-Type: application/json\" -d \"$request_body\" | jq | tee /etc/cfssl/clientcerts/client.centminmod.com-cf-origin-tls-cleint-auth-cert-upload-status.txt\n{\n  \"success\": true,\n  \"errors\": [],\n  \"messages\": [],\n  \"result\": {\n    \"id\": \"608cc597-64c5-4797-874b-fa6263f52572\",\n    \"status\": \"deleted\",\n    \"issuer\": \"CN=Intermediate CA,OU=Intermediate CA,L=San Francisco,ST=CA,C=US\",\n    \"signature\": \"ECDSA-SHA256\",\n    \"serial_number\": \"584692600676493439512096317492143492518858226170\",\n    \"certificate\": \"-----BEGIN CERTIFICATE-----\\nMIICTTCCAfOgAwIBAgIUZmqF4qgyuyNNrwVjzzLNHAbIefowCgYIKoZIzj0EAwIw\\nZjELMAkGA1UEBxxxVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\\nc2NvMRgwFgYDVQQLEw9JbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVk\\naWF0ZSBDQTAeFw0yMjA1MjQxNzUxMDBaFw0zMjA1MjExNzUxMDBaME8xCzAJBgNV\\nBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEbMBkG\\nA1UEAxMSY2xpZW50LmNlbnRtaW4uZGV2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\\nQgAEXyp84zF8aQN+NgYz9R0ybj3WUtobIW+VR+8Sn8XqEcvLkKSHIbkE8d0QxVco\\nrJj1WT8VGVsGoPEoFAFCgTWDEKOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l\\nBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU3nVjMQxRXHbZ\\n4MHDEHyKO9+LCAIwHwYDVR0jBBgwFoAUBmnnxfL9Oi4w1x99f7nem1K51HcwHQYD\\nVR0RBBYwFIISY2xpZW50LmNlbnRtaW4uZGV2MAoGCCqGSM49BAMCA0gAMEUCICbN\\nwcITOWxFIJhmdlNai6aUk2nrH4TrHME4ahwXgR0/AiEAwsPA4uQbhKDDCsmX0p/6\\nzC6RCxdzKoU2vQej7QUwdNc=\\n-----END CERTIFICATE-----\\n\",\n    \"uploaded_on\": \"2022-05-24T18:03:17.950644Z\",\n    \"expires_on\": \"2032-05-21T17:51:00Z\"\n  }\n}\n```\n\n# Peer Wildcard SSL Certificate\n\nGenerate self-signed peer wildcard SSL certificate with CA signing for centminmod.com subdomain with `TLS Web Client Authentication` and `TLS Web Server Authentication` \n\n* peer pkcs12: /etc/cfssl/peercerts/centminmod.com.p12\n* peer cert: /etc/cfssl/peercerts/centminmod.com.pem\n* peer private key: /etc/cfssl/peercerts/centminmod.com-key.pem\n* peer public key: /etc/cfssl/peercerts/centminmod.com-publickey.pem\n* peer csr: /etc/cfssl/peercerts/centminmod.com.csr\n* peer csr profile: /etc/cfssl/peercerts/centminmod.com.csr.json\n\n```\n/root/tools/cfssl-ca-ssl/cfssl-ca-ssl.sh gen-peer centminmod.com 87600 wildcard centminmod.com\n\ncfssl gencert -config /etc/cfssl/profile.json -profile peer -ca /etc/cfssl/centminmod.com-ca-intermediate.pem -ca-key /etc/cfssl/centminmod.com-ca-intermediate-key.pem centminmod.com.csr.json \u003e centminmod.com.json\n2020/09/15 04:45:23 [INFO] generate received request\n2020/09/15 04:45:23 [INFO] received CSR\n2020/09/15 04:45:23 [INFO] generating key: ecdsa-256\n2020/09/15 04:45:23 [INFO] encoded CSR\n2020/09/15 04:45:23 [INFO] signed certificate with serial number 364491867088419011259470270742378449429086468712\n\ncfssljson -f centminmod.com.json -bare centminmod.com\n\nExtract peer certi","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentminmod%2Fcfssl-ca-ssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcentminmod%2Fcfssl-ca-ssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentminmod%2Fcfssl-ca-ssl/lists"}