User:Jbond/cfssl

From Wikitech
Jump to navigation Jump to search

Generate Root CA

First create a json csr file representing the CA details

{
   "names" : [
      {
         "S" : "California",
         "C" : "US",
         "O" : "Wikimedia Foundation, Inc",
         "OU" : "Technolagy",
         "L" : "San Francisco"
      }
   ],
   "CN" : "Wikimedia ROOT CA",
   "ca" : {
      "expiry" : "43800h"
   },
   "key" : {
      "size" : 521,
      "algo" : "ecdsa"
   }
}

The run the following

/usr/bin/cfssl gencert -initca  | cfssljson -bare
  1. Puppet Bootstrap

The puppet profile requires the content of the puppet public/private key for puppet to successfully compile. however you idealy want to create the root certificate with the correct db config, so the ocsp responder works as is, however this config is configuered via this same profile. As such its best to generate the root CA's manually and then insert them into the database with [script to follow] so that the ocsp responder tools all work