blob: 86df8f8c1e227fd95733d90fa4f560903f500119 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
=encoding utf-8
Following steps require https://github.com/cloudflare/cfssl
Initiate CA by creating root certificate pair:
cfssl gencert -initca ca_csr.json | cfssljson -bare ca
Continue with intermediate certificate pair for signing:
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config=cfssl_config.json -profile=intermediate intermediate_ca_csr.json | cfssljson -bare intermediate_ca
Also create OCSP certificate pair to sign OCSP responses:
cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config=cfssl_config.json -profile=ocsp ocsp_csr.json | cfssljson -bare ocsp
Create a leaf certificate:
cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config cfssl_config.json -profile server leaf_csr.json | cfssljson -bare leaf
Create an OCSP response for the certificate:
cfssl ocspsign -ca intermediate_ca.pem -responder ocsp.pem -responder-key ocsp-key.pem -cert leaf.pem -status good | cfssljson -bare ocsp-response-good
Bundle certificate to be installed at Nginx:
cat leaf.pem intermediate_ca.pem ca.pem > leaf-bundle.pem
Inspect OCSP response to see what is the Next Update:
openssl ocsp -text -no_cert_verify -respin t/cert/ocsp/cfssl/ocsp-response-good-response.der | grep "Next Update"
|
