# cfssl 自签 CA 证书


使用 cfssl 自签 CA 证书。可用于 k8s 通讯，或自托管服务。

<!--more-->

## 教程

网上教程

```bash
sudo apt install golang-cfssl 
mkdir cert && cd cert
# 生成 CA
cfssl print-defaults config > ca-config.json
# 这个配置文件指定了默认的证书过期时间以及一个名为"server"的配置文件，该配置文件用于为服务器认证。

cfssl print-defaults csr > ca-csr.json
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成服务端证书 server.csr，server.pem , server-key.pem
cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www ca-csr.json | cfssljson -bare server

###
# 这将生成server.csr和 server-key.pem文件，它们将用于签发证书。
cfssl genkey -config ca-config.json -profile server csr.json | cfssljson -bare server

### 这将生成 ca.pem和ca-key.pem 文件，它们是您自己生成的CA证书和私钥。
cfssl genkey -initca ca-csr.json | cfssljson -bare ca

# 这将生成server.pem文件，它是您签发的SSL证书。
cfssl sign -config ca-config.json -profile server -ca ca.pem -ca-key ca-key.pem server.csr | cfssljson -bare server
```

## 实践


创建 CA 证书配置 cert/ca-csr.json

```json
{
    "CN": "KKBT CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "O": "ORGANIZATION"
        }
    ]
}
```

生成 
1. ca-key.pem: CA 证书密钥
2. ca.pem: CA 证书

```bash
⋊> cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2023/07/15 11:46:17 [INFO] generating a new CA key and certificate from CSR
2023/07/15 11:46:17 [INFO] generate received request
2023/07/15 11:46:17 [INFO] received CSR
2023/07/15 11:46:17 [INFO] generating key: rsa-2048
2023/07/15 11:46:18 [INFO] encoded CSR
2023/07/15 11:46:18 [INFO] signed certificate with serial number xxxxxxxx
```



创建 ca-config.json，证书签发配置，用 CA 证书来签发其它证书时需要用

```json
{
    "signing": {
        "default": {
            "expiry": "8760h"
        },
        "profiles": {
            "server": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}
```


创建 server-csr.json 配置要签名的域名

```json
{
    "CN": "192.168.0.101",
    "hosts": [
        "192.168.0.101"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "O": "Raspberry Pi"
        }
    ]
}
```

签发证书

```bash
cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=server \
  server-csr.json | cfssljson -bare server
```

效果

```bash
~/cert# ❯❯❯ cfssl gencert -ca=ca.pem \
                          -ca-key=ca-key.pem \
                          -config=ca-config.json \
                          -profile=server \
                          server-csr.json | cfssljson -bare server
2024/07/22 18:04:14 [INFO] generate received request
2024/07/22 18:04:14 [INFO] received CSR
2024/07/22 18:04:14 [INFO] generating key: ecdsa-256
2024/07/22 18:04:14 [INFO] encoded CSR
2024/07/22 18:04:14 [INFO] signed certificate with serial number xxxxxxxx
```

部署使用 server-key.pem  server.pem

## 总结

在手机，平板，电脑上安装 CA 根证书，然后这个 CA 证书签发的服务器用的证书就都会被认为是安全的。不过安装 CA 证书后会有`Network may be monitored`提示。

另外上面实践是两种证书。正常有 CA 根证书，中间证书，服务器证书。但是个人使用没有搞那么麻烦，没有中间证书。