使用CloudFlare CFSSL 构建私有CA证书管理

1. 安装 Go（示例Ubuntu 20.04）

sudo apt update

sudo apt install build-essential

go get -u github.com/cloudflare/cfssl/cmd/...

（$ ls ~/go/bin/

cfssl cfssl-bundle cfssl-certinfo cfssljson cfssl-newkey cfssl-scan mkbundle multirootca）

2. 编辑使用CA

mkdir ~/cfssl

cd ~/cfssl

cfssl print-defaults config > ca-config.json

cfssl print-defaults csr > ca-csr.json

编译CA：$ vim ca-csr.json

{

"CN": "lx(Cloud Centers of Excellence) CA",

"key": {

"algo": "rsa",

"size": 2048

"names": [

{

"C": "CN",

"ST": "GuangDong Province",

"L": "ShenZhen",

"O": "lx",

"OU": "IT"

}

]

}

$ vim ca-config.json

{

"signing": {

"default": {

"expiry": "8760h"

"profiles": {

"intermediate_ca": {

"usages": [

"signing",

"digital signature",

"key encipherment",

"cert sign",

"crl sign",

"server auth",

"client auth"

"expiry": "8760h",

"ca_constraint": {

"is_ca": true,

"max_path_len": 0,

"max_path_len_zero": true

}

"peer": {

"usages": [

"signing",

"digital signature",

"key encipherment",

"client auth",

"server auth"

"expiry": "8760h"

"server": {

"usages": [

"signing",

"digital signing",

"key encipherment",

"server auth"

"expiry": "8760h"

"client": {

"usages": [

"signing",

"digital signature",

"key encipherment",

"client auth"

"expiry": "8760h"

}

生成CA：$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

创建生成中间CA：

$ mkdir ~/cfssl/intermediate && cd ~/cfssl/intermediate

$ nano intermediate.json

{

"CN": "lx（Cloud Centers Of Excellence) Servers Intermediate CA",

"key": {

"algo": "rsa",

"size": 2048

"names": [

{

"C": "CN",

"L": "ShenZhen",

"O": "lx Servers",

"OU": "Servers Intermediate CA",

"ST": "GuangDong Province"

}

"ca": {

"expiry": "42720h"

}

创建中间公钥和私钥以及中间签名请求：

$ cfssl gencert -initca intermediate.json | cfssljson -bare intermediate_ca

$ cfssl sign -ca ~/cfssl/ca.pem \

-ca-key ~/cfssl/ca-key.pem \

-config ~/cfssl/ca-config.json \

-profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca

3. 证书范例

$ nano geekscsr.json

{

"CN": "ccoe.lx.com",

"key": {

"algo": "rsa",

"size": 2048

"names": [

{

"C": "CN",

"L": "ShenZhen",

"O": "lx",

"OU": "IT",

"ST": "GuangDong Province"

}

"hosts": [

"server1.computingexample.com",

"localhost"

]

}

生成证书文件：$ cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config ~/cfssl/ca-config.json -profile=server geekscsr.json | cfssljson -bare web-server1

cfssl gencert -ca ../intermediate/intermediate_ca.pem -ca-key ../intermediate/intermediate_ca-key.pem -config ~/cfssl/ca-config.json -profile=server lxreg.json | cfssljson -bare lxreg

捆绑证书：go get -u github.com/cloudflare/cfssl/cmd/mkbundle
（多个中间证书：mkbundle -f bundle.crt intermediates）

（确保CA 公钥 (ca.pem) 和中间公钥位于同一目录中）

$ cp ~/cfssl/ca.pem ~/cfssl/intermediate

$ cd ~/cfssl

$ mkbundle -f web-server1.crt intermediate

cd ~/cfssl/

sudo cp web-server1.crt /etc/ssl/certs/

cd ~/cfssl/intermediate

sudo cp web-server1-key.pem web-server1.pem /etc/ssl/certs/

测试证书：sudo apt install apache2

sudo a2enmod ssl

4. 使用 ssl 证书配置服务器

$ sudo vim /etc/apache2/sites-enabled/server1_computingexample_com.conf

ServerAdmin webmaster@localhost

ServerName ccoe.lx.com

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on

## HERE ARE OUR GENERATED CERTS!!

SSLCertificateFile /etc/ssl/certs/web-server1.pem

SSLCertificateKeyFile /etc/ssl/certs/web-server1-key.pem

SSLCertificateChainFile /etc/ssl/certs/web-server1.crt

SSLOptions +StdEnvVars

</FilesMatch>

SSLOptions +StdEnvVars

</Directory>

</VirtualHost>

</IfModule>

在 DocumentRoot /var/www/html/ 中添加示例 index.html 文件

cd /var/www/html/

sudo vim index.html

<!DOCTYPE html>

<head>

<style>

h1 {text-align: center;}

p {text-align: center;}

div {text-align: center;}

</style>

</head>

<body>

<div id="app"><h2>Our Test Page has Loaded</h2></div>

</body>

</html>

重启Apache：sudo systemctl restart apache2

访问网址 descript

加入系统验证证书

descript