aschmidt75 · March 19, 2019 14:23
diff --git a/readme.txt b/readme.txt
  * https://medium.com/@vrmvrm/setup-cloudflare-cfssl-with-ocsp-responder-aba44b4134e6
  * https://github.com/cloudflare/cfssl
  * https://www.heise.de/select/ix/2019/01/softlinks/132?wt_mc=pred.red.ix.ix012019.132.softlink.softlink


  502  export GOPATH=....
  503  go get -u github.com/cloudflare/cfssl/cmd/cfssl
  504  go get -u github.com/cloudflare/cfssl/cmd/cfssljson
  505  export PATH=$PATH:$GOPATH/bin

 %localhost%:ca_1 c018$ vim csr_ROOT_CA.json
 %localhost%:ca_1 c018$ cfssl gencert -initca csr_ROOT_CA.json | cfssljson -bare root_ca
 2019/03/19 14:45:35 [INFO] generating a new CA key and certificate from CSR
 2019/03/19 14:45:35 [INFO] generate received request
 2019/03/19 14:45:35 [INFO] received CSR
 2019/03/19 14:45:35 [INFO] generating key: ecdsa-256
 2019/03/19 14:45:35 [INFO] encoded CSR
 2019/03/19 14:45:35 [INFO] signed certificate with serial number 65443847706366332973254209484498632464715121684

 %localhost%:ca_1 c018$ vim csr_INTERMEDIATE_CA.json
 %localhost%:ca_1 c018$ cfssl gencert -initca csr_INTERMEDIATE_CA.json | cfssljson -bare intermediate_ca
 2019/03/19 14:49:57 [INFO] generating a new CA key and certificate from CSR
 2019/03/19 14:49:57 [INFO] generate received request
 2019/03/19 14:49:57 [INFO] received CSR
 2019/03/19 14:49:57 [INFO] generating key: ecdsa-256
 2019/03/19 14:49:57 [INFO] encoded CSR
 2019/03/19 14:49:57 [INFO] signed certificate with serial number 123383546936283677753535708241686773730769347170

 %localhost%:ca_1 c018$ vim root_to_intermediate_ca.json
 %localhost%:ca_1 c018$ cfssl sign -ca root_ca.pem -ca-key root_ca-key.pem -config root_to_intermediate_ca.json intermediate_ca.csr | cfssljson -bare intermediate_ca
 2019/03/19 14:52:23 [INFO] signed certificate with serial number 211292323161609508551907813693671512220149985680

 -->

 %localhost%:ca_1 c018$ openssl x509 -in intermediate_ca.pem -text
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:02:ac:ea:9f:18:d8:bf:c0:4d:89:e6:f1:0f:ff:b8:57:33:b1:90
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=DE, L=Koenigswinter, O=aschmidt75, OU=Tesing Dptd, CN=Test-CA
        Validity
            Not Before: Mar 19 13:47:00 2019 GMT
            Not After : Mar 11 13:47:00 2049 GMT
        Subject: C=DE, L=Koenigswinter, O=aschmidt75, OU=Tesing Dptd, CN=Test-Intermediate CA
        Subject Public Key Info:

 %localhost%:ca_1 c018$ vim csr_SERVER.json
 %localhost%:ca_1 c018$ vim intermediate_to_client_cert.json

 %localhost%:ca_1 c018$ cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config intermediate_to_client_cert.json  csr_SERVER.json | cfssljson -bare server1
 2019/03/19 15:03:36 [INFO] generate received request
 2019/03/19 15:03:36 [INFO] received CSR
 2019/03/19 15:03:36 [INFO] generating key: ecdsa-256
 2019/03/19 15:03:36 [INFO] encoded CSR
 2019/03/19 15:03:36 [INFO] signed certificate with serial number 99531130398080906956431024054682268320080613660

diff --git a/csr_INTERMEDIATE_CA.json b/csr_INTERMEDIATE_CA.json
 {
  "CN": "Test-Intermediate CA",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    { "C": "DE", "L": "Koenigswinter", "O": "aschmidt75", "OU": "Tesing Dptd" }
  ],
  "ca": {
    "expiry": "1000h"
  }
 }
diff --git a/csr_ROOT_CA.json b/csr_ROOT_CA.json
 {
  "CN": "Test-CA",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    { "C": "DE", "L": "Koenigswinter", "O": "aschmidt75", "OU": "Tesing Dptd" }
  ],
  "ca": {
    "expiry": "262800h"
  }
 }
diff --git a/csr_SERVER.json b/csr_SERVER.json
 {
  "cn": "192.168.143.10",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    { "C": "DE", "L": "Koenigswinter", "O": "aschmidt75", "OU": "Tesing Dptd" }
  ],
  "Hosts": ["192.168.143.10"]
 }
diff --git a/intermediate_to_client_cert.json b/intermediate_to_client_cert.json
 {
  "signing": {
    "profiles": {
      "CA": {
        "usages": [ "cert sign" ],
        "expiry": "1000h"
      }
    },
    "default": {
      "usages": [ "digital signature" ],
      "expiry": "500h"
    }
  }
 }
diff --git a/root_to_intermediate_ca.json b/root_to_intermediate_ca.json
 {
  "signing": {
    "default": {
      "usages": [ "digital signature", "cert sign", "crl sign", "signing" ],
      "expiry": "262800h",
      "ca_constraint": { "is_ca": true, "max_path_len": 0, "max_path_len_zero": true }
    }
  }
 }
	* https://medium.com/@vrmvrm/setup-cloudflare-cfssl-with-ocsp-responder-aba44b4134e6
	* https://github.com/cloudflare/cfssl
	* https://www.heise.de/select/ix/2019/01/softlinks/132?wt_mc=pred.red.ix.ix012019.132.softlink.softlink


	502 export GOPATH=....
	503 go get -u github.com/cloudflare/cfssl/cmd/cfssl
	504 go get -u github.com/cloudflare/cfssl/cmd/cfssljson
	505 export PATH=$PATH:$GOPATH/bin

	%localhost%:ca_1 c018$ vim csr_ROOT_CA.json
	%localhost%:ca_1 c018$ cfssl gencert -initca csr_ROOT_CA.json \| cfssljson -bare root_ca
	2019/03/19 14:45:35 [INFO] generating a new CA key and certificate from CSR
	2019/03/19 14:45:35 [INFO] generate received request
	2019/03/19 14:45:35 [INFO] received CSR
	2019/03/19 14:45:35 [INFO] generating key: ecdsa-256
	2019/03/19 14:45:35 [INFO] encoded CSR
	2019/03/19 14:45:35 [INFO] signed certificate with serial number 65443847706366332973254209484498632464715121684

	%localhost%:ca_1 c018$ vim csr_INTERMEDIATE_CA.json
	%localhost%:ca_1 c018$ cfssl gencert -initca csr_INTERMEDIATE_CA.json \| cfssljson -bare intermediate_ca
	2019/03/19 14:49:57 [INFO] generating a new CA key and certificate from CSR
	2019/03/19 14:49:57 [INFO] generate received request
	2019/03/19 14:49:57 [INFO] received CSR
	2019/03/19 14:49:57 [INFO] generating key: ecdsa-256
	2019/03/19 14:49:57 [INFO] encoded CSR
	2019/03/19 14:49:57 [INFO] signed certificate with serial number 123383546936283677753535708241686773730769347170

	%localhost%:ca_1 c018$ vim root_to_intermediate_ca.json
	%localhost%:ca_1 c018$ cfssl sign -ca root_ca.pem -ca-key root_ca-key.pem -config root_to_intermediate_ca.json intermediate_ca.csr \| cfssljson -bare intermediate_ca
	2019/03/19 14:52:23 [INFO] signed certificate with serial number 211292323161609508551907813693671512220149985680

	-->

	%localhost%:ca_1 c018$ openssl x509 -in intermediate_ca.pem -text
	Certificate:
	Data:
	Version: 3 (0x2)
	Serial Number:
	25:02:ac:ea:9f:18:d8:bf:c0:4d:89:e6:f1:0f:ff:b8:57:33:b1:90
	Signature Algorithm: ecdsa-with-SHA256
	Issuer: C=DE, L=Koenigswinter, O=aschmidt75, OU=Tesing Dptd, CN=Test-CA
	Validity
	Not Before: Mar 19 13:47:00 2019 GMT
	Not After : Mar 11 13:47:00 2049 GMT
	Subject: C=DE, L=Koenigswinter, O=aschmidt75, OU=Tesing Dptd, CN=Test-Intermediate CA
	Subject Public Key Info:

	%localhost%:ca_1 c018$ vim csr_SERVER.json
	%localhost%:ca_1 c018$ vim intermediate_to_client_cert.json

	%localhost%:ca_1 c018$ cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config intermediate_to_client_cert.json csr_SERVER.json \| cfssljson -bare server1
	2019/03/19 15:03:36 [INFO] generate received request
	2019/03/19 15:03:36 [INFO] received CSR
	2019/03/19 15:03:36 [INFO] generating key: ecdsa-256
	2019/03/19 15:03:36 [INFO] encoded CSR
	2019/03/19 15:03:36 [INFO] signed certificate with serial number 99531130398080906956431024054682268320080613660
	{
	"CN": "Test-Intermediate CA",
	"key": {
	"algo": "ecdsa",
	"size": 256
	},
	"names": [
	{ "C": "DE", "L": "Koenigswinter", "O": "aschmidt75", "OU": "Tesing Dptd" }
	],
	"ca": {
	"expiry": "1000h"
	}
	}
	{
	"CN": "Test-CA",
	"key": {
	"algo": "ecdsa",
	"size": 256
	},
	"names": [
	{ "C": "DE", "L": "Koenigswinter", "O": "aschmidt75", "OU": "Tesing Dptd" }
	],
	"ca": {
	"expiry": "262800h"
	}
	}
	{
	"cn": "192.168.143.10",
	"key": {
	"algo": "ecdsa",
	"size": 256
	},
	"names": [
	{ "C": "DE", "L": "Koenigswinter", "O": "aschmidt75", "OU": "Tesing Dptd" }
	],
	"Hosts": ["192.168.143.10"]
	}
	{
	"signing": {
	"profiles": {
	"CA": {
	"usages": [ "cert sign" ],
	"expiry": "1000h"
	}
	},
	"default": {
	"usages": [ "digital signature" ],
	"expiry": "500h"
	}
	}
	}
	{
	"signing": {
	"default": {
	"usages": [ "digital signature", "cert sign", "crl sign", "signing" ],
	"expiry": "262800h",
	"ca_constraint": { "is_ca": true, "max_path_len": 0, "max_path_len_zero": true }
	}
	}
	}