-
Install
cfsslandcfssljsoncommands from https://github.com/cloudflare/cfssl -
Create a CA
Make a file called ca.json, containing this:
{
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
Then run:
cfssl genkey -initca ca.json | cfssljson -bare ca
That will create the CA files you need: ca.pem (CA cert), ca-key.pem (CA private key) as well as a CSR file that you don't really need.
- Create a server key and cert request
Create a JSON file to describe your server, call it myhost.json:
{
"hosts": [
"subdomain.yourhost.yourdomain",
"10.232.1.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
This can be the same as the CA info, just with hosts added. In fact, you could probably use the same JSON file for both.
Then run:
cfssl genkey myhost.json | cfssljson -bare myhost
This will create myhost-key.pem (server private key) and myhost.csr (certificate signing request).
- Issue the server certificate with your CA
cfssl sign -ca ca.pem -ca-key ca-key.pem -csr myhost.csr | cfssljson -bare myhost
Will issue your server certificate myhost.pem.
- Using
You'll need to make ca.pem a trusted root certificate in clients accessing this server. The server will definitely need myhost.pem and myhost-key.pem. Some server implementations will expect the CA certificate to be appended to the server certificate, others will ask for it separately.