{"id":23594253,"url":"https://github.com/pexmor/demo-cfssl","last_synced_at":"2025-11-04T15:30:26.412Z","repository":{"id":172673591,"uuid":"490750069","full_name":"PexMor/demo-cfssl","owner":"PexMor","description":"An example how to use cfssl","archived":false,"fork":false,"pushed_at":"2024-12-10T13:29:13.000Z","size":28,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-27T09:16:23.094Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PexMor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-10T15:10:24.000Z","updated_at":"2024-12-10T13:29:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"d31ee1c5-b681-42ef-8f5c-7e18f5ab7ebf","html_url":"https://github.com/PexMor/demo-cfssl","commit_stats":null,"previous_names":["pexmor/demo-cfssl"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PexMor%2Fdemo-cfssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PexMor%2Fdemo-cfssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PexMor%2Fdemo-cfssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PexMor%2Fdemo-cfssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PexMor","download_url":"https://codeload.github.com/PexMor/demo-cfssl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239435030,"owners_count":19638045,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-27T09:16:26.260Z","updated_at":"2025-11-04T15:30:26.362Z","avatar_url":"https://github.com/PexMor.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Demo cfssl\n\nAn example how to use cfssl\n\nThe key path is `~/.config/demo-cfssl` at that place all the files are stored:\n\nCA, ICA and server DN.O: `000 Special Org`\n\nOther components of the X.509 DN (distingushed name is in `*.json`)\n\n| file name                    | purpose - description                       |\n| ---------------------------- | ------------------------------------------- |\n| ca-bundle.pem                | root CA + intermediate CA certs             |\n| ca-key.pem                   | private key for root CA                     |\n| ca.csr                       | CA signing request                          |\n| ca.pem                       | root CA cert                                |\n| dhparam.pem                  | DH parameters used by TLS server            |\n| ica-key.pem                  | intermediate CA cert                        |\n| ica-self.pem                 | self-signed interediate CA cert             |\n| ica.csr                      | intermediate CA signing requests            |\n| ica.pem                      | root CA signed intermediate CA certificate  |\n| localhost-server-bundle.pem  | server cert + ca-bundle                     |\n| localhost-server-haproxy.pem | server bundle + private key for server cert |\n| localhost-server-key.pem     | server private key                          |\n| localhost-server.csr         | server cert signign request                 |\n| localhost-server.pem         | server cert alone                           |\n\n## Things to tweak\n\nThis line in `./mkCert.sh` creates the actual host certificate:\n\n```bash\n# ...\nmkCert 03_host.json $C_TYPE $C_FN\n# ...\n```\n\nparameters:\n\n- `C_TYPE=server` ref. [profiles.json](profiles.json)\n- `C_FN` is just a filename.\n\nYou should also tweak `03_host.json` either via\n\n```bash\njq . 03_host.json | jq '.names[0].ST=\"Some\" | .hosts=[\"super.name.lan\"]' \u003etmp-03_host.json\n```\n\nAlso a thing to look at is the `profiles.json`...\n\nThis example runs `containerized` in particular `Dockerized`.\n\nPlatform binaries to be downloaded at [https://github.com/cloudflare/cfssl/releases](https://github.com/cloudflare/cfssl/releases):\n\n- cfssl-bundle\n- cfssl-certinfo\n- cfssl-newkey\n- cfssl-scan\n- [cfssljson](https://github.com/cloudflare/cfssl#the-cfssljson-utility) - program, which takes the JSON output from the cfssl and multirootca programs and writes certificates, keys, CSRs, and bundles to disk\n- [cfssl](https://github.com/cloudflare/cfssl#using-the-command-line-tool) - program, which is the canonical command line utility using the CFSSL packages\n- [mkbundle](https://github.com/cloudflare/cfssl#the-mkbundle-utility) - program is used to build certificate pool bundles\n- [multirootca](https://github.com/cloudflare/cfssl#the-multirootca) - program, which is a certificate authority server that can use multiple signing keys\n\n...it is GO-Lang: `go get github.com/cloudflare/cfssl/cmd/...`\n\n## Testing and deploying\n\n**Firefox:** have independed certificate store (incl.RootCA).\n**Chrome \u0026 Safari \u0026 Edge/Chrome** use the system cert store (incl.RootCA).\n\n```bash\nexport BP=\"$HOME/.config/demo-ssl\"\n# following does not work with `update-ca-certificates`\n# export DST=\"/usr/share/ca-certificates/extra\"\nexport DST=\"/usr/local/share/ca-certificates/extra\"\nsudo mkdir -p \"$DST\"\ncat \"$BP/ca.pem\" | sudo tee \"$DST/000ca.crt\"\nsudo update-ca-certificates\n# sudo dpkg-reconfigure ca-certificates\n```\n\ncheck intermediate CA CERT w/explicit root CA CERT:\n\n```bash\nopenssl verify -CAfile \"$BP/ca.pem\" -verbose \"$BP/ica.pem\"\n```\n\ncheck intermediate CA CERT w/system root CA CERT - verifies the deployment went well:\n\n```bash\nopenssl verify -verbose \"$BP/ica.pem\"\n```\n\n\u003e Note: in the following examples the parameter `-untrusted` is the actual and correct one, as the trustworthiness is verified by the root CA...\n\ncheck host CERT w/explicit root CA:\n\n```bash\nopenssl verify -verbose -CAfile \"$BP/ca.pem\" \\\n    -untrusted \"$BP/ica.pem\" \"$BP/localhost-server.pem\"\n```\n\ncheck host CERT w/system root CA:\n\n```bash\nopenssl verify -verbose -untrusted \"$BP/ica.pem\" \"$BP/localhost-server.pem\"\n```\n\n\u003e Note: cfssl does not support plug-in (USB, Bluetooth, NFC) PKCS#11 tokens :-(\n\n## HA Proxy test\n\nThis addition presents the use of generated CA's keys with `haproxy` in Docker container.\n\nTo test at first run the certificate creation as described above and the run `./demoHaproxy.sh`\n\n## Do it on RaspberryPi\n\nHead to releases: \u003chttps://github.com/cloudflare/cfssl/releases\u003e\n\nSelect the latest build for `ARMv6` or `ARM64` if you are on RPi5 and later.\n\nAt the time of writing it was `cfssl_1.6.5_linux_armv6`\n\nWhile revisiting the **one-click** solution I have found that for `day 2` operation perspective\nit might be too fast for certain use-cases. For that reason I would elaborate a bit on steps\nthat you might find useful in case you do not need kind of **one-shot CA and server**.\n\nThe procedure is following:\n\n1. generate **long term** CA certificate and key (like 10 years, do not forget **make note** in calendar!)\n2. do the same for **long term** intermediate CA certificate (same as above)\n3. generate **short term** certificate for what ever you need server, e-mail or even sub-CA (short period should be around 90 days - hint: **certbot - Let's Encrypt** policy)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpexmor%2Fdemo-cfssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpexmor%2Fdemo-cfssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpexmor%2Fdemo-cfssl/lists"}