alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Add CFSSL instructions

Browse source
This commit is contained in:
Carl Tashian 2020-02-26 10:59:38 -08:00
parent a1debf7b1e
commit 76a077ba3e
1 changed files with 30 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
docs/questions.md
View file

@ -193,7 +193,36 @@ openssl ca -config [ROOT_CA_CONFIG_FILE] \
-out intermediate.crt -out intermediate.crt
``` ```
This process will yield an `intermediate.crt` certificate. Transfer this file back to the machine running `step-ca`. **CFSSL**
For CFSSL you'll need a signing profile that specifies a 10-year expiry:
```bash
cat > ca-smallstep-config.json <<EOF
{
"signing": {
"profiles": {
"smallstep": {
"expiry": "87660h",
"usages": ["signing"]
}
}
}
}
EOF
```
Now use that config to sign the intermediate certificate:
```bash
cfssl sign -ca ca.pem \
-ca-key ca-key.pem \
-config ca-smallstep-config.json \
-profile smallstep
-csr intermediate.csr | cfssljson -bare
```
This process will yield a signed `intermediate.crt` certificate (or `cert.pem` for CFSSL). Transfer this file back to the machine running `step-ca`.
Finally, replace the intermediate .crt and signing key produced by `step ca init` with the new ones we just created: Finally, replace the intermediate .crt and signing key produced by `step ca init` with the new ones we just created: