OpenBSD CloudFlare Certificate CFSSL - Create Private PKI/TLS Certificate CA For DNS Server Client

The CloudFlare PKI/TLS CFSSL tool is written in the Golang language and is one of the open source programs released by Cloudflare. CFSSL is a command line tool and HTTP API server for signing, validating, and merging TLS certificates. Cloudflare deliberately released the CFSSL application to make it easier to create PKI/TLS certificates. CFSSL's performance is truly impressive, because it is able to achieve a balance between performance, security and interoperability.

CFSSL Public Key Infrastructure is not only a tool for certificate aggregation, but can also be used as a certificate authority. This is possible because it covers the basic functions of certificate generation, including private key generation, certificate signing request generation. The CFSSL application is very suitable for DNS servers that run the TLS protocol.

The presence of CFSSL really helps improve your internet network security system, because SSL certificates are designed to reduce several security problems on internet networks. SSL certificates link domain names to server names and business names to locations, thereby forming the basis of trust on the Internet by guaranteeing the identity of websites. In other words, the certificate contains the server name, a trusted certification authority (CA) that verifies the certificate's authenticity, and the server's public encryption key.

In this article, we will learn how to create Cloudflare CFSSL on OpenBSD. The contents of the article include the Go installation process, CFSSL and the configuration process and certificate creation.


1. Install Golang

Because CFSSL is written in the go language, the main requirement that your OepnBSD must fulfill is that go is installed on OpenBSD. There's nothing wrong if we review the Go installation process a little. To install go on OpenBSD is not too difficult. The go repository is provided in the PKG package. You can immediately run the installation without having to download from other repositories.

Install GO Golang
ns3# pkg_add go
Because there are many versions of GO that have been released, and it could even be said that not the same operating system runs the GO version. You can check the go version before running it.

Check GO version
ns3# go version
go version go1.22.1 openbsd/amd64
GO Golang also has many PATHs that you can set yourself. For more details on the process of creating a PATH environment variable, you can read our previous article.

https://www.unixwinbsd.site/2024/05/guide-to-installing-go-golang-with-path.html


2. Install Clodflare CFSSL

After you have successfully installed Golang, continue by installing CFSSL. The CFSSL installation process is not much different from GO, not too difficult. With just one command you can install CFSSL on OpenBSD. The following is the command to install CFSSL.

Install GO Golang
ns3# pkg_add cfssl
You can view the installed version of CFSSL with the following command.

Check CFSSL version
ns3# cfssl version
Version: 1.6.4
Runtime: go1.22.1
Now that you have set up your CFSSL application, we need to understand how it works and the process of creating a certificate with CFSSL.


3. Setup Clodflare CFSSL

By default CFSSL provides two basic configuration files, namely:
  • CSR_configuration and
  • signing_configuration.

The CSR configuration file contains the configuration for the key pair generation that you will create. Sign configurations according to their names, set up configuration rules and so on. We will demonstrate how to initialize a Root CA for your OpenBSD server environment. First of all we have to save the default cfssl options for replacement and future use.

a. Create ROOT CA

The first step to create a ROOT CA certificate, we create a directory to store the certificate, after that we do the configuration to create a key for the CA itself.

Create directory and key ROOT CA
ns3# mkdir -p /etc/ssl/cfssl
ns3# cd /etc/ssl/cfssl
ns3# cfssl print-defaults config > ca-config.json 
ns3# cfssl print-defaults csr > ca-csr.json
The cfssl command above will generate two json format files:
  • ca-config.json
  • ca-csr.json
Open the two files and type the script as in the example below.

Script ca-config.json
{
    "signing": {
        "default": {
            "expiry": "8760h"
        },
        
        "profiles": {        	
            "intermediate_ca": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment",
            "cert sign",
            "crl sign",
            "server auth",
            "client auth",
            "www auth"
        ],
        "expiry": "8760h",
        "ca_constraint": {
            "is_ca": true,
            "max_path_len": 0, 
            "max_path_len_zero": true
        }
      },
      
          "peer": {
        "usages": [
            "signing",
            "digital signature",
            "key encipherment", 
            "client auth",
            "server auth",
            "www auth"
        ],
        "expiry": "8760h"
      },
            	
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "www auth"
                ]
            },
            
 "server": {
        "usages": [
          "signing",
          "digital signing",
          "key encipherment",
          "server auth"
        ],
        "expiry": "8760h"
      },
      
      "client": {
        "usages": [
          "signing",
          "digital signature",
          "key encipherment", 
          "client auth"
        ],
        "expiry": "8760h"
      }
            
        }
    }
}
Script ca-csr.json
{
    "CN": "Servers Intermediate CA",
    "hosts": [
        "kursor.my.id",
        "www.kursor.my.id"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "ST": "CA",
            "L": "San Francisco",
            "O": "OpenBSD Education",
            "OU": "Tutor"
        }        
    ],
     "ca": {
    "expiry": "8760h"
 }
}
Replace the domain "kursor.my.id" with your OpenBSD server domain. After that we will create a certificate to generate a CA with the options we have specified.

Generate CA
ns3# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
The command above will produce three new files consisting of:
  • ca-key.pem (private key)
  • ca.csr (certificate signing request)
  • ca.pem (root CA public key)

b. Create Intermediate CA

Now we move on to the next step, once we have the root CA which is the most important file. The root CA will allow us to generate intermediate certificates. Intermediate certificates can be used like CAs to generate other intermediate certificates or to directly sign certificates and keys. In this case, the Root CA key is stored on the offline machine, and is only used when you need to sign an intermediate CA certificate. To create an intermediate CA, we need the following configuration files.

Create directory /etc/ssl/cfssl/intermediate and intermediate.json file
ns3# mkdir -p /etc/ssl/cfssl/intermediate
ns3# cd /etc/ssl/cfssl/intermediate       
ns3# touch intermediate.json
Open the intermediate.json file, and enter the script as in the example below.

Script /etc/ssl/cfssl/intermediate/intermediate.json
{
  "CN": "Servers Intermediate CA",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
	"C": "US",
        "ST": "CA",
        "L": "San Francisco",
        "O": "OpenBSD Education",
        "OU": "Tutor"
    }
  ],
  "ca": {
    "expiry": "8760h"
  }
}
Once you include the script in that file, you can proceed with generating intermediate public and private keys along with an intermediate signing request.

Generating intermediate public and private keys
ns3# cfssl gencert -initca intermediate.json | cfssljson -bare intermediate_ca
ns3# cfssl sign -ca /etc/ssl/cfssl/ca.pem -ca-key /etc/ssl/cfssl/ca-key.pem -config /etc/ssl/cfssl/ca-config.json -profile intermediate_ca intermediate_ca.csr | cfssljson -bare intermediate_ca

c. Create end certificates

Each web server or DNS server has its own unique certificate. Let's assume you want to get a certificate for a DNS server with a domain name like kursor.my.id. The first thing you have to do is create a Certificate Signing Request (CSR) for your DNS server. To create the certificate you must create a new file as in the example below.

Create certificate DNS Server
ns3# mkdir -p /etc/ssl/cfssl/CADNSServer
ns3# cd /etc/ssl/cfssl/CADNSServer
ns3# touch kursor.my.id.json
Then you enter the script below in the cursor.my.id.json file.

Script /etc/ssl/cfssl/CADNSServer/kursor.my.id.json
{
  "CN": "server.computingexample.com",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
  {
            "C": "US",
            "ST": "CA",
            "L": "San Francisco",
            "O": "OpenBSD Education",
            "OU": "Tutor"
  }
  ],
  "hosts": [
    "ns3.kursor.my.id",
    "localhost"
  ]
}
To generate a DNS server certificate with the configuration in the json file above, just do it.

Generate certificate DNS Server
ns3# cfssl gencert -ca /etc/ssl/cfssl/intermediate/intermediate_ca.pem -ca-key /etc/ssl/cfssl/intermediate/intermediate_ca-key.pem -config /etc/ssl/cfssl/ca-config.json -profile=server kursor.my.id.json | cfssljson -bare DNSServer1


4. Create Bundling Certificates

Some Apache, Java and DNS server based applications such as Unbound require Root & Intermediate certificates to be combined in one file. Cloudflare CFSSL can create combined certificates required by the server and client.

You can use the cfssl-mkbundle command to build the root and intermediate bundles used in verifying certificates. This basically links the final certificate with the public key of the intermediate CA and the Root CA. Follow the guide below to create a bundle certificate.

Generate certificate Bundle DNS Server
ns3# cd /etc/ssl/cfssl                                                  
ns3# cfssl-mkbundle -f /etc/ssl/cfssl/CADNSServer/DNSserverbundle.crt CADNSServer
The command above is used to create a bundle certificate, by combining the existing certificate /etc/ssl/cfssl with /etc/ssl/cfssl/CADNSServer. And the results of the merger will be stored in /etc/ssl/cfssl/CADNNSServer.

You can also use the above command to merge the certificates in /etc/ssl/cfssl with /etc/ssl/cfssl/intermediate.

Generate certificate Bundle Intermediate
ns3# cd /etc/ssl/cfssl
ns3# cfssl-mkbundle -f /etc/ssl/cfssl/intermediate/Intermediatebundle.crt intermediate


4. How to Use a CFSSL certificate in Unbound

After you have successfully created the ROOT CA certificate, internediate and certificate for the DNS server. Now we will apply the certificate to the DNS server. In this example we will implement the Unbound DNS server. In the main Unbound directory, you open the unbound.conf file. Look for the TLS script and replace it with the script below.

Script unbound.conf
tls-port: 853
tls-cert-bundle: "/etc/ssl/cfssl/CADNSServer/DNSserverbundle.crt"
tls-service-key: "/etc/ssl/cfssl/CADNSServer/DNSServer1-key.pem"
tls-service-pem: "/etc/ssl/cfssl/CADNSServer/DNSServer1.pem"
Restart your Unbound server, and run the command below, to check whether the Unbound server can open port 853 TLS.

Test Unbound
ns3# dig -p 853 yahoo.com @192.168.5.3


5. How to Use a CFSSL certificate in NGINX Web Server

You can also use the CFSSL certificate on the NGINX web server. In your virtual host file, enter a script like the example below. (we create an HTTPS port on the Nginx virtual host).

Script /etc/nginx/vhostsSSL.conf
server {
        listen       443;
        listen       [::]:443;
        server_name  datainchi.com;
        root         /var/www/htdocs/nginxssl;
ssl on;
ssl_certificate /etc/ssl/cfssl/intermediate/Intermediatebundle.crt;
ssl_certificate_key /etc/ssl/cfssl/intermediate/intermediate_ca-key.pem;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        root  /var/www/htdocs/nginxssl;
        }
    }
The example above is a simple example of an Nginx HTTPS script. You can customize it according to your OpenBSD system. After you enter the CFSSL certificate into the Nginx configuration, the next step is to restart the Nginx server to apply HTTPS ports on the Nginx server.

Restart Nginx
ns3# rcctl restart nginx
After that, open Google Chrome and type "https://192.168.5.3". Look at the results, Nginx HTTPS port 443 is immediately open.

TLS is the foundation of modern cryptography. When properly configured, TLS provides strong and secure encryption that verifies all parties involved in the process. CFSSL is a simple, fast and convenient tool for running SSL CA. CFSSL is a self-signed certificate and helps secure internet networks by building a key exchange infrastructure for encrypted connections.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post