Cfssl Cheatsheat
Generate new Server Certificates
-
Generate CSR, certificate and private key for fqdn:
fqdn=host.domain.tld cfssl gencert -ca intermediate/intermediate_ca.pem \ -ca-key intermediate/intermediate_ca-key.pem \ -config config.json \ -profile server certificates/${fqdn}.json | cfssljson -bare certificates/${fqdn} -
Generate chain
cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem -
Generate PKCS#12
openssl pkcs12 -export \ -in certificates/${fqdn}.pem \ -inkey certificates/${fqdn}-key.pem \ -out certificates/${fqdn}.p12 \ -name ${fqdn} \ -CAfile brank.pem \ -chain -
Convert to Java Keystore
keytool -importkeystore \ -deststorepass changeit \ -destkeypass changeit \ -destkeystore foo.keystore \ -srckeystore certificates/${fqdn}.p12 \ -srcstoretype PKCS12 \ -srcstorepass password \ -alias fqdn -
Cleaning up
unset fqdn
Renew expired intermediate CA certificate
- New CSR
cfssl gencsr -key intermediate/intermediate_ca-key.pem \ intermediate/intermediate-ca.json |\ cfssljson -bare intermediate/intermediate_ca - Sign CSR
cfssl sign -ca root/ca.pem \ -ca-key root/ca-key.pem \ -config config.json \ -profile intermediate_ca \ intermediate/intermediate_ca.csr |\ cfssljson -bare /tmp/intermediate_ca - Recreate chain
fqdn=relayd.rand.clacks.xyz cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem - Cleanup environment
unset fqdn
Renew expired server certificate
- Set variable to make our life easier
fqdn=host.domain.tld - New CSR
cfssl gencsr -key certificates/${fqdn}-key.pem \ certificates/${fqdn}.json |\ cfssljson -bare certificates/${fqdn} - Sign CSR
cfssl sign -ca intermediate/intermediate_ca.pem \ -ca-key intermediate/intermediate_ca-key.pem \ -config config.json \ -profile server \ certificates/${fqdn}.csr |\ cfssljson -bare certificates/${fqdn} - Recreate chain
cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem - Cleanup environment
unset fqdn