Add CFSSL instructions

2020-02-26 10:59:38 -08:00 · 2020-02-26 10:59:38 -08:00 · 76a077ba3e
commit 76a077ba3e
parent a1debf7b1e
1 changed files with 30 additions and 1 deletions
--- a/docs/questions.md
+++ b/docs/questions.md
@ -193,7 +193,36 @@ openssl ca -config [ROOT_CA_CONFIG_FILE] \
  -out intermediate.crt
 ```

-This process will yield an `intermediate.crt` certificate.  Transfer this file back to the machine running `step-ca`.
+**CFSSL**
+
+For CFSSL you'll need a signing profile that specifies a 10-year expiry:
+
+```bash
+cat > ca-smallstep-config.json <<EOF
+{
+  "signing": {
+    "profiles": {
+      "smallstep": {
+        "expiry": "87660h",
+        "usages": ["signing"]
+      }
+    }
+  }
+}
+EOF
+```
+
+Now use that config to sign the intermediate certificate:
+
+```bash
+cfssl sign -ca ca.pem \
+    -ca-key ca-key.pem \
+    -config ca-smallstep-config.json \
+    -profile smallstep
+    -csr intermediate.csr | cfssljson -bare
+```
+
+This process will yield a signed `intermediate.crt` certificate (or `cert.pem` for CFSSL). Transfer this file back to the machine running `step-ca`.

 Finally, replace the intermediate .crt and signing key produced by `step ca init` with the new ones we just created: