PKI/Debugging
Generating certs locally
Sometimes its usefull to generate a certificate manually outside of puppet, this should be avoided however if it is needed there is a script. please not the script is far from production ready and should only be used for testing/debugging.
To use the script you will need to create a json csr e.g.
{
"CN": "client.example.org",
"hosts": [
"client.example.org"
],
"key": {
"algo": "ecdsa",
"size": 521
},
"names": []
}
and then run the script against the file
$ sudo ~jbond/cfssl/sign.sh ~jbond/cfssl/client.example.org.csr
Generting new certificate
2023/04/12 11:37:50 [INFO] generate received request
2023/04/12 11:37:50 [INFO] received CSR
2023/04/12 11:37:50 [INFO] generating key: ecdsa-256
2023/04/12 11:37:50 [INFO] encoded CSR
2023/04/12 11:37:50 [INFO] Using client auth with mutual-tls-cert: /var/lib/puppet/ssl/certs/cumin1001.eqiad.wmnet.pem and mutual-tls-key: /var/lib/puppet/ssl/private_keys/cumin1001.eqiad.wmnet.pem
2023/04/12 11:37:50 [INFO] Using trusted CA from tls-remote-ca: /var/lib/puppet/ssl/certs/ca.pem
certificates are available in /home/ayounsi/cfssl/outdir/client.example.org
$ sudo ls -la /home/jbond/cfssl/outdir/client.example.org
total 20
drw------- 2 root root 4096 Apr 12 11:37 .
drwxr-xr-x 4 root root 4096 Apr 12 11:37 ..
-rw------- 1 root root 452 Apr 12 11:38 client.example.org.csr
-rw------- 1 root root 227 Apr 12 11:37 client.example.org-key.pem
-rw------- 1 root root 1107 Apr 12 11:38 client.example.org.pem
If the certificate file already exists then the script will check the expiry and if its due to expire resign
Create a local CA
The following documents how you can create a local ca and start creating certificates for testing with cfssl.
first of we need to create a CA for so we need to create a ca.json file describing the ca csr e.g.
{
"CN": "example_ca",
"hosts": [
"example_ca"
],
"key": {
"algo": "ecdsa",
"size": 521
},
"names": []
}
Then generate the CA pem files
$ cfssl gencert -initca ca.json | cfssljson -bare ca
2022/12/13 17:00:07 [INFO] generating a new CA key and certificate from CSR
2022/12/13 17:00:07 [INFO] generate received request
2022/12/13 17:00:07 [INFO] received CSR
2022/12/13 17:00:07 [INFO] generating key: ecdsa-521
2022/12/13 17:00:07 [INFO] encoded CSR
2022/12/13 17:00:07 [INFO] signed certificate with serial number 148316615946698894478228238454444079242258482333
This file creates the ca.pem and ca-key.pem files we will use to sign the certs below, but before that we need to create a basic config that will by default create a client mTLS certificate but also has a server profile for the server end
{
"auth_keys": {},
"signing": {
"default": {
"usages": [
"signing",
"key encipherment",
"client auth"
],
"expiry": "672h"
},
"profiles": {
"server": {
"expiry": "672h",
"usages": [
"digital signature",
"key encipherment",
"server auth"
]
}
}
}
}
We also create the server.json and client.json csr json files
{
"CN": "client.example.org",
"hosts": [
"client.example.org"
],
"key": {
"algo": "ecdsa",
"size": 521
},
"names": []
}
{
"CN": "server.example.org",
"hosts": [
"server.example.org"
],
"key": {
"algo": "ecdsa",
"size": 521
},
"names": []
}
and we uses theses files to create the necessary certificates
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json client.json | cfssljson -bare client
2022/12/13 17:03:58 [INFO] generate received request
2022/12/13 17:03:58 [INFO] received CSR
2022/12/13 17:03:58 [INFO] generating key: ecdsa-521
2022/12/13 17:03:58 [INFO] encoded CSR
2022/12/13 17:03:58 [INFO] signed certificate with serial number 289403862863531179502632004600427887401919831808
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=server server.json | cfssljson -bare server
2022/12/13 17:03:31 [INFO] generate received request
2022/12/13 17:03:31 [INFO] received CSR
2022/12/13 17:03:31 [INFO] generating key: ecdsa-521
2022/12/13 17:03:31 [INFO] encoded CSR
2022/12/13 17:03:31 [INFO] signed certificate with serial number 117612018245647437513655227146842214832319987239
Finally we can validate theses certificates with openssl x509 -in cert.pem -noout -text