The CFSSL Certificate Manager integrated with Lemur

https://www.youcl.com/info/3548

　　In the article on the Lemur Certificate Manager of the article , we do not use any third-party root certification authority (CA) as the client certificate. Thus, in this tutorial, using CFSSL (Cloudflare of SSL) is provided and integrated with the PKI project Lemur. Currently, there is no documentation to help users set up integrated CFSSL with Lemur.

Note: Because we use CFSSL as third-party root privileges, so first we have to set it on a separate machine (but we set it on the same Lemur box) and then change the lemur conf file to use CFSSL signed certificate.

Installation CFSSL

CloudFlare SSL using the "Go" programming language, so you need to install the package "go" on the machine. The following command will install the required package on a computer.

1. Install Go

Go packages from source code installed.

   
 wget https://dl.google.com/go/go1.10.1.linux-amd64.tar.gz

Extract the downloaded archive and install it to the desired location on your system. We will install it in / usr / local directory. You can also place it in the desired location on your system.

  
   
 tar -xzvf go1.10.1.linux-amd64.tar.gz

  mv go /usr/local

After installing Go package, also you need to set the environment variable to Go binaries. (You can add it to your user profile, to make permanent settings). Usually you will need three environment variable to GOROOT, GOPATH and path

Go GOROOT is the location of the installation package on your system.

 export GOROOT=/usr/local/go

GOPATH is the location of your working directory.

export GOPATH=$HOME/go

Now set the path variable access into the binary system-wide.

export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

2. Test Go command

Now enter the "go" command in the terminal. It shows the output, as in the screenshot below.

go

3. Install CFSSL

We must be installed CFSSL on the Ubuntu platform. When properly set environment variables required GO, CFSSL installation process will be easy.

One. The following command will download CFSSL utilities and build it at $ GOPATH / bin / path in.

go get -u github.com/cloudflare/cfssl/cmd/cfssl

Bay the following command to install the plug-CFSSL json package. It is necessary, because the processing CFSSL JSON request.

 go get -u github.com/cloudflare/cfssl/cmd/cfssljson

C. Using the commands below all the programs simply mounted CFSSL. This command will download, build, and install all utilities (including cfssl, cfssljson and mkbundle, etc.) to $ GOPATH / bin / directory.

go get -u github.com/cloudflare/cfssl/cmd/...

As shown in Run "cfssl" command in the terminal as shown below, it displays all operations CFSSL PKI supports.

CFSSL set of PKI

Now, cfssl application for setting up a PKI project for the Lemur. Profile "CSR_configuration" and "signing_configuration" is very important in CFSSL settings. "CSR" configuration file contains the configuration of the key pair you want to create, and the "signature" of the configuration name, set the configuration rules.

Creating ROOT CA.

For a root CA, check the following CSR configuration file (which we will call csr_ROOT_CA.json):

csr_ROOT_CA.json

 {
 "CN": "MY-ROOT-CA",
 "key": {
    "algo": "ecdsa",
    "size": 256
 },
 "names": [
 {
    "C": "UK",
    "L": "London",
    "O": "My Organisation",
    "OU": "My Organisational Unit Inside My Organisation"
 }
 ],
 "ca": {
    "expiry": "262800h"
 }
}

下面给出不同领域的简要说明。

配置文件遵循X.509命名方案，因此需要以下字段：
- CN（通用名称） - 实体的名称。在根CA情况下，它是根CA名称;
- C（国家）
- L（位置）
- O（组织）
- OU（组织单位）
现在，许多特定字段特定于CFSSL：
- KEY - 定义键特征：
  - Algo - 指定算法。对于RSA或ECDSA算法，可以分别为'rsa'或'ecdsa'。现在，如果传统设备不相关，则始终建议使用ECDSA，但这仅适用于少于两年或三年的设备。否则应使用RSA。
  - size - 指定密钥大小。 ecdsa键应使用256。对于RSA密钥，建议值为2048或4096。
- ca - 定义CA特征，在本例中定义密钥有效性，以小时为单位，以小时为单位。在这种情况下，它是30年（24x356x30），因为只要你预见到根密钥的安全性，root权限就会持续。

现在，运行以下命令以实际为Lemur创建根CA.

cfssl gencert -initca csr_ROOT_CA.json | cfssljson -bare root_ca

以上命令将在计算机上创建以下文件。

root_ca.csr - 根ca证书签名请求，对根ca没有意义，因此永远不会被使用。由于根CA是自签名的。
root_ca.pem - 根CA证书。这是您和尽可能分发的文件。
root_ca.key - 这是根CA Key。保持这个文件的安全和安全，就像你的生活依赖它一样。对于公共Root CA，这实际上是事实。

根CA是自签名的，因此请继续下一步以生成中间CA.

中级CA.

中间CA的生成不是强制性的，但对应于最佳实践。拥有中间CA的最终目标是在安全性方面具有中间步骤。通常。根CA密钥保留在脱机计算机中，仅在需要签署中间CA证书时使用。

配置文件“csr_INTERMEDIATE_CA.json”是创建中间CA所必需的。

csr_INTERMEDIATE_CA.json - 中间CA的证书签名请求

{
 "CN": "My-Intermediate-CA",
 "key": {
    "algo": "ecdsa",
    "size": 256
 },
 "names": [
 {
    "C": "UK",
    "L": "London",
    "O": "My Organisation",
    "OU": "My Organisational Unit Inside My Organisation"
 }
 ],
 "ca": {
    "expiry": "42720h"
 }
}

“root_to_intermediate_ca.json”文件包含根CA签名配置。

{ 
"signing": {
 "default": {
 "usages": ["digital signature","cert sign","crl sign","signing"],
 "expiry": "262800h",
 "ca_constraint": {"is_ca": true, "max_path_len":0, "max_path_len_zero": true}
 }
 }
}

此文件包含证书的最相关参数。

用法 - 允许签署的证书执行哪些用法。 CFSSL支持的选项如下：
- “电子签名”，
- “证书签字”，
- “crl sign”，
- “签约”
- 等等
is_ca - 此字段仅适用于生成跨媒体CA证书，并允许生成的证书签署其他证书。如果将此字段保留在终端设备证书上，则大多数常见浏览器和操作系统都会拒绝该字段。

以下命令将针对上述配置创建中间CA.

cfssl gencert -initca csr_INTERMEDIATE_CA.json | cfssljson -bare intermediate_ca

以上命令将创建中级CA的以下文件。

intermediate_ca.csr - 中级CA证书签名请求。
intermediate_ca.pem - 中级CA证书，未经任何人签名，因此无用。
intermediate_ca.key - 这是中级CA密钥。保持此文件的安全性和安全性。

以下命令显示根CA对中间CA证书的签名。

cfssl sign -ca root_ca.pem -ca-key root_ca-key.pem -config root_to_intermediate_ca.json intermediate_ca.csr | cfssljson -bare intermediate_ca

上面的命令将签署intermediate_ca.pem文件。现在完成了根和中间CA的设置。保持Root CA Keys和配置文件的安全性非常重要。下一步是为客户端设备或客户创建证书。在这里，我们将CFSSL设置与Lemur项目集成，并生成客户端证书。

运行CFSSL的PKI

要运行基于CFSSL的PKI，请进入certs目录并运行以下命令。

cfssl serve -address 192.168.10.151 -ca root_ca.pem -ca-key root_ca-key.pem -port 8888

以下命令的输出将如下。

root@test-vm:/home/john/Desktop/certs# cfssl serve -address 192.168.10.151 -ca root_ca.pem -ca-key root_ca-key.pem -port 8888
2018/05/20 16:35:18 [INFO] Initializing signer
2018/05/20 16:35:19 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
2018/05/20 16:35:19 [INFO] endpoint '/' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config)
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config)
2018/05/20 16:35:19 [INFO] bundler API ready
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2018/05/20 16:35:19 [INFO] setting up key / CSR generator
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'authsign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2018/05/20 16:35:19 [INFO] Handler set up complete.
2018/05/20 16:35:19 [INFO] Now listening on 192.168.10.151:8888

机器的IP地址是192.168.10.151 ，端口是8888 。允许防火墙中的此端口使用CFSSL。

注意：以下命令仅指导使用cfssl实用程序。

{ cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
 [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
 [-metadata file] [-remote remote_host] [-config config] \
 [-responder cert] [-responder-key key] [-db-config db-config] }

现在，CFSSL的配置已完成，并且正在计算机上运行。下一步是将CFSSL与Lemur集成。

CFSSL PKI的狐猴配置

现在，将修改Lemur的配置文件“lemur.conf.py”（例如URL，ROOT和Intermediate键）。配置文件将包含有关CFSSL的信息。狐猴配置文件的路径是“/home/lemur/.lemur/lemur.conf.py”。

CFSSL_URL ="http://192.168.10.151:8888"

CFSSL_ROOT ="""-----BEGIN CERTIFICATE-----
MIICcjCCAhegAwIBAgIUahfYPc4RpK92G1ZHhu3q9URvf+8wCgYIKoZIzj0EAwIw
9UmEM4IEd2j8/w4WdTYaBE5EzwIhAN3oW9iAmjcyzC/7BPIY/Sr+twig/+XwnQ8T
hKXP2OHd
-----END CERTIFICATE-----"""

CFSSL_INTERMEDIATE ="""-----BEGIN CERTIFICATE-----
MIICfDCCAiKgAwIBAgIUEeb8Duel8wySG61vCM2UEUD15XQwCgYIKoZIzj0EAwIw
qM9lE82tku/b6SMxAlBByQ==
-----END CERTIFICATE-----"""

现在，运行“lemur start”命令以使用带有CFSSL设置的lemur.conf.py。

使用CFSSL创建证书

According to our previously about lemurs article , visit the dashboard to use CFSSL root CA to create a client certificate. First, create a new certificate authority and select the plug CFSSL as the root CA.

1. Set the different parameters of the new authority.

2. Select the new setting CFSSL plug-in as the root CA.

After setting the new certificate authority in Lemur, the next step is to set up a new generation of plug-CFSSL certificate.