Skip to content
This repository was archived by the owner on Apr 19, 2024. It is now read-only.

Commit 83f190b

Browse files
committed
doc: add cfssl section
1 parent 3325f70 commit 83f190b

File tree

3 files changed

+95
-2
lines changed

3 files changed

+95
-2
lines changed

README.md

+44-2
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ brew install protobuf clang-format
88

99
clang-format is used for format proto files
1010

11-
1211
## Install golang code generator
1312

1413
```
@@ -32,7 +31,7 @@ go build -o ./dist ./cmd/...
3231
## Run and test
3332

3433
```console
35-
$ ./dist/server
34+
$ ./dist/server
3635
2022/07/21 22:18:20 listen and serveing...
3736
2022/07/21 22:18:26 request certificate subject: CN=client
3837
```
@@ -41,3 +40,46 @@ $ ./dist/server
4140
$ ./dist/client
4241
Hello,world
4342
```
43+
44+
## How to generate x509 certificates
45+
46+
1. Download [cfssl](https://github.com/cloudflare/cfssl)
47+
2. Generate your self-signed root CA
48+
49+
```
50+
cfssl selfsign -config cfssl.json --profile rootca "My Root CA" csr.json | cfssljson -bare root
51+
```
52+
53+
you will get 3 files:
54+
55+
- root.csr ROOT CA CSR(you may don't need it)
56+
- root-key.pem ROOT CA key
57+
- root.pem ROOT CA certificate
58+
59+
3. Create your server and client certificate
60+
61+
```
62+
cfssl genkey csr.json | cfssljson -bare server
63+
cfssl genkey csr.json | cfssljson -bare client
64+
```
65+
66+
you will get 4 files:
67+
68+
- server.csr Server side CSR
69+
- server-key.pem Server key
70+
- client.csr Client side CSR
71+
- server-key.pem Client key
72+
73+
4. Sign new certificates by your self-signed root CA
74+
75+
```
76+
cfssl sign -ca root.pem -ca-key root-key.pem -config cfssl.json -profile server server.csr | cfssljson -bare server
77+
cfssl sign -ca root.pem -ca-key root-key.pem -config cfssl.json -profile client client.csr | cfssljson -bare client
78+
```
79+
80+
you will get your server and client certificates
81+
82+
- server.pem
83+
- client.pem
84+
85+
For more detail about `cfss.json` and `csr.json`, check out cfsll documentation.

cfssl.json

+42
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
{
2+
"signing": {
3+
"default": {
4+
"expiry": "87600h"
5+
},
6+
"profiles": {
7+
"rootca": {
8+
"usages": [
9+
"signing",
10+
"digital signature",
11+
"key encipherment",
12+
"cert sign",
13+
"crl sign",
14+
"server auth",
15+
"client auth"
16+
],
17+
"ca_constraint": {
18+
"is_ca": true
19+
},
20+
"expiry": "87600h"
21+
},
22+
"server": {
23+
"usages": [
24+
"signing",
25+
"digital signing",
26+
"key encipherment",
27+
"server auth"
28+
],
29+
"expiry": "87600h"
30+
},
31+
"client": {
32+
"usages": [
33+
"signing",
34+
"digital signature",
35+
"key encipherment",
36+
"client auth"
37+
],
38+
"expiry": "87600h"
39+
}
40+
}
41+
}
42+
}

csr.json

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"hosts": ["localhost", "127.0.0.1"],
3+
"key": {
4+
"algo": "ecdsa",
5+
"size": 256
6+
},
7+
"CN": "localhost",
8+
"names": []
9+
}

0 commit comments

Comments
 (0)