CFSSL: Cloudflare's PKI and TLS toolkit

Related tags

Network cfssl
Overview

CFSSL

Build Status Coverage Status GoDoc

CloudFlare's PKI/TLS toolkit

CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates. It requires Go 1.12+ to build.

Note that certain linux distributions have certain algorithms removed (RHEL-based distributions in particular), so the golang from the official repositories will not work. Users of these distributions should install go manually to install CFSSL.

CFSSL consists of:

  • a set of packages useful for building custom TLS PKI tools
  • the cfssl program, which is the canonical command line utility using the CFSSL packages.
  • the multirootca program, which is a certificate authority server that can use multiple signing keys.
  • the mkbundle program is used to build certificate pool bundles.
  • the cfssljson program, which takes the JSON output from the cfssl and multirootca programs and writes certificates, keys, CSRs, and bundles to disk.

Building

Building cfssl requires a working Go 1.12+ installation.

$ git clone [email protected]:cloudflare/cfssl.git
$ cd cfssl
$ make

The resulting binaries will be in the bin folder:

$ tree bin
bin
├── cfssl
├── cfssl-bundle
├── cfssl-certinfo
├── cfssl-newkey
├── cfssl-scan
├── cfssljson
├── mkbundle
└── multirootca

0 directories, 8 files

Cross Compilation

You can set the GOOS and GOARCH environment variables to have Go cross compile for alternative platforms; however, cfssl requires cgo, and cgo requires a working compiler toolchain for the target platform.

Installation

Installation requires a working Go 1.12+ installation.

$ go get -u github.com/cloudflare/cfssl/cmd/cfssl

will download, build, and install the CFSSL tool.

To install any of the other utility programs that are in this repo (for instance cfssljson in this case):

$ go get -u github.com/cloudflare/cfssl/cmd/cfssljson

This will download, build, and install the CFSSLJSON tool.

And to simply install all of the programs in this repo:

$ go get -u github.com/cloudflare/cfssl/cmd/...

This will download, build, and install all of the utility programs (including cfssl, cfssljson, and mkbundle among others).

Using the Command Line Tool

The cfssl command line tool takes a command to specify what operation it should carry out:

   sign             signs a certificate
   bundle           build a certificate bundle
   genkey           generate a private key and a certificate request
   gencert          generate a private key and a certificate
   serve            start the API server
   version          prints out the current version
   selfsign         generates a self-signed certificate
   print-defaults   print default configurations

Use cfssl [command] -help to find out more about a command. The version command takes no arguments.

Signing

cfssl sign [-ca cert] [-ca-key key] [-hostname comma,separated,hostnames] csr [subject]

The csr is the client's certificate request. The -ca and -ca-key flags are the CA's certificate and private key, respectively. By default, they are ca.pem and ca_key.pem. The -hostname is a comma separated hostname list that overrides the DNS names and IP address in the certificate SAN extension. For example, assuming the CA's private key is in /etc/ssl/private/cfssl_key.pem and the CA's certificate is in /etc/ssl/certs/cfssl.pem, to sign the cloudflare.pem certificate for cloudflare.com:

cfssl sign -ca     /etc/ssl/certs/cfssl.pem       \
           -ca-key /etc/ssl/private/cfssl_key.pem \
           -hostname cloudflare.com               \
           ./cloudflare.pem

It is also possible to specify CSR with the -csr flag. By doing so, flag values take precedence and will overwrite the argument.

The subject is an optional file that contains subject information that should be used in place of the information from the CSR. It should be a JSON file as follows:

{
    "CN": "example.com",
    "names": [
        {
            "C":  "US",
            "L":  "San Francisco",
            "O":  "Internet Widgets, Inc.",
            "OU": "WWW",
            "ST": "California"
        }
    ]
}

N.B. As of Go 1.7, self-signed certificates will not include the AKI.

Bundling

cfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \
             [-metadata metadata_file] [-flavor bundle_flavor] \
             -cert certificate_file [-key key_file]

The bundles are used for the root and intermediate certificate pools. In addition, platform metadata is specified through -metadata. The bundle files, metadata file (and auxiliary files) can be found at:

    https://github.com/cloudflare/cfssl_trust

Specify PEM-encoded client certificate and key through -cert and -key respectively. If key is specified, the bundle will be built and verified with the key. Otherwise the bundle will be built without a private key. Instead of file path, use - for reading certificate PEM from stdin. It is also acceptable that the certificate file should contain a (partial) certificate bundle.

Specify bundling flavor through -flavor. There are three flavors: optimal to generate a bundle of shortest chain and most advanced cryptographic algorithms, ubiquitous to generate a bundle of most widely acceptance across different browsers and OS platforms, and force to find an acceptable bundle which is identical to the content of the input certificate file.

Alternatively, the client certificate can be pulled directly from a domain. It is also possible to connect to the remote address through -ip.

cfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \
             [-metadata metadata_file] [-flavor bundle_flavor] \
             -domain domain_name [-ip ip_address]

The bundle output form should follow the example:

{
    "bundle": "CERT_BUNDLE_IN_PEM",
    "crt": "LEAF_CERT_IN_PEM",
    "crl_support": true,
    "expires": "2015-12-31T23:59:59Z",
    "hostnames": ["example.com"],
    "issuer": "ISSUER CERT SUBJECT",
    "key": "KEY_IN_PEM",
    "key_size": 2048,
    "key_type": "2048-bit RSA",
    "ocsp": ["http://ocsp.example-ca.com"],
    "ocsp_support": true,
    "root": "ROOT_CA_CERT_IN_PEM",
    "signature": "SHA1WithRSA",
    "subject": "LEAF CERT SUBJECT",
    "status": {
        "rebundled": false,
        "expiring_SKIs": [],
        "untrusted_root_stores": [],
        "messages": [],
        "code": 0
    }
}

Generating certificate signing request and private key

cfssl genkey csr.json

To generate a private key and corresponding certificate request, specify the key request as a JSON file. This file should follow the form:

{
    "hosts": [
        "example.com",
        "www.example.com",
        "https://www.example.com",
        "[email protected]",
        "127.0.0.1"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C":  "US",
            "L":  "San Francisco",
            "O":  "Internet Widgets, Inc.",
            "OU": "WWW",
            "ST": "California"
        }
    ]
}

Generating self-signed root CA certificate and private key

cfssl genkey -initca csr.json | cfssljson -bare ca

To generate a self-signed root CA certificate, specify the key request as a JSON file in the same format as in 'genkey'. Three PEM-encoded entities will appear in the output: the private key, the csr, and the self-signed certificate.

Generating a remote-issued certificate and private key.

cfssl gencert -remote=remote_server [-hostname=comma,separated,hostnames] csr.json

This calls genkey but has a remote CFSSL server sign and issue the certificate. You may use -hostname to override certificate SANs.

Generating a local-issued certificate and private key.

cfssl gencert -ca cert -ca-key key [-hostname=comma,separated,hostnames] csr.json

This generates and issues a certificate and private key from a local CA via a JSON request. You may use -hostname to override certificate SANs.

Updating an OCSP responses file with a newly issued certificate

cfssl ocspsign -ca cert -responder key -responder-key key -cert cert \
 | cfssljson -bare -stdout >> responses

This will generate an OCSP response for the cert and add it to the responses file. You can then pass responses to ocspserve to start an OCSP server.

Starting the API Server

CFSSL comes with an HTTP-based API server; the endpoints are documented in doc/api/intro.txt. The server is started with the serve command:

cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
            [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
            [-metadata file] [-remote remote_host] [-config config] \
            [-responder cert] [-responder-key key] [-db-config db-config]

Address and port default to "127.0.0.1:8888". The -ca and -ca-key arguments should be the PEM-encoded certificate and private key to use for signing; by default, they are ca.pem and ca_key.pem. The -ca-bundle and -int-bundle should be the certificate bundles used for the root and intermediate certificate pools, respectively. These default to ca-bundle.crt and int-bundle.crt respectively. If the -remote option is specified, all signature operations will be forwarded to the remote CFSSL.

-int-dir specifies an intermediates directory. -metadata is a file for root certificate presence. The content of the file is a json dictionary (k,v) such that each key k is an SHA-1 digest of a root certificate while value v is a list of key store filenames. -config specifies a path to a configuration file. -responder and -responder-key are the certificate and the private key for the OCSP responder, respectively.

The amount of logging can be controlled with the -loglevel option. This comes after the serve command:

cfssl serve -loglevel 2

The levels are:

  • 0 - DEBUG
  • 1 - INFO (this is the default level)
  • 2 - WARNING
  • 3 - ERROR
  • 4 - CRITICAL

The multirootca

The cfssl program can act as an online certificate authority, but it only uses a single key. If multiple signing keys are needed, the multirootca program can be used. It only provides the sign, authsign and info endpoints. The documentation contains instructions for configuring and running the CA.

The mkbundle Utility

mkbundle is used to build the root and intermediate bundles used in verifying certificates. It can be installed with

go get -u github.com/cloudflare/cfssl/cmd/mkbundle

It takes a collection of certificates, checks for CRL revocation (OCSP support is planned for the next release) and expired certificates, and bundles them into one file. It takes directories of certificates and certificate files (which may contain multiple certificates). For example, if the directory intermediates contains a number of intermediate certificates:

mkbundle -f int-bundle.crt intermediates

will check those certificates and combine valid certificates into a single int-bundle.crt file.

The -f flag specifies an output name; -loglevel specifies the verbosity of the logging (using the same loglevels as above), and -nw controls the number of revocation-checking workers.

The cfssljson Utility

Most of the output from cfssl is in JSON. The cfssljson utility can take this output and split it out into separate key, certificate, CSR, and bundle files as appropriate. The tool takes a single flag, -f, that specifies the input file, and an argument that specifies the base name for the files produced. If the input filename is - (which is the default), cfssljson reads from standard input. It maps keys in the JSON file to filenames in the following way:

  • if cert or certificate is specified, basename.pem will be produced.
  • if key or private_key is specified, basename-key.pem will be produced.
  • if csr or certificate_request is specified, basename.csr will be produced.
  • if bundle is specified, basename-bundle.pem will be produced.
  • if ocspResponse is specified, basename-response.der will be produced.

Instead of saving to a file, you can pass -stdout to output the encoded contents to standard output.

Static Builds

By default, the web assets are accessed from disk, based on their relative locations. If you wish to distribute a single, statically-linked, cfssl binary, you’ll want to embed these resources before building. This can by done with the go.rice tool.

pushd cli/serve && rice embed-go && popd

Then building with go build will use the embedded resources.

Additional Documentation

Additional documentation can be found in the "doc" directory:

  • api/intro.txt: documents the API endpoints
Issues
  • Get missing info from CSR fields

    Get missing info from CSR fields

    If there is info missing in the API request, supplement it with information pulled out of the CSR pem.

    TBD: add unit tests. I'm putting this PR up early to give the CFSSL devs a chance to get started on code review.

    opened by dr107 22
  • Unable to clear C, ST, O, OU, L in CSR

    Unable to clear C, ST, O, OU, L in CSR

    The recently added method replaceSliceIfEmpty from aeaf899bba868e70ba78c478be99b7b4cb266915 interferes with clearing unwanted Name fields.

    The logic today chooses to copy the CSR-supplied Name fields if the signer.Subject object includes strings of length 0.

    We need to be able to clear these fields, as we cannot trust the user's input, but passing strings of length 0 no longer does the trick. Of course, we can't send nil pointers either.

    We need some better way to indicate to CFSSL to discard the CSR names.

    opened by jcjones 20
  • Initial CLI Version of `cfssl scan`

    Initial CLI Version of `cfssl scan`

    Adds new scan command, that performs a variety of connectivity and TLS protocol tests.

    Unfortunately, some of these require importing the go standard library's crypto/tls package's source in order to access private members. These are used in scan/tls/cfsslscan_*.go files to export additional functionality not supplied by the crypto/tls API.

    Support for the standard CFSSL HTTP API is forthcoming, but comments on this initial structure might be useful first.

    opened by 0xhaven 15
  • Add API and CLI methods for generating CRL from local DB

    Add API and CLI methods for generating CRL from local DB

    CFSSL is capable of generating CRLs, but mainly in a swiss army knife fashion. This PR enables CFSSL to generate a CRL out of its configured DB/CA, both in CLI and API Server mode.

    TODO:

    • [x] Unit Tests
    • [x] Endpoint Documentation
    opened by drf 14
  • Add support for ECDSA keys in crypto.pkcs11.Key

    Add support for ECDSA keys in crypto.pkcs11.Key

    This submission adds support for ECDSA (P224, P256, P384, P521) for crypto.pkcs11.Key. This code was tested with a smart-card (P256) and a software token (other curves).

    opened by mbrossard 14
  • 'This certificate lacks a

    'This certificate lacks a "hosts" field'

    Why do I get this warning when trying to create a server certificate using an intermediate CA?

    > cfssl version
    Version: 1.2.0
    Revision: dev
    Runtime: go1.7.4
    
    > cfssl gencert -ca .\intermediate.pem -ca-key .\intermediate-key.pem -config .\intermediate-signing-config.json -profile server .\server.json | cfssljson -bare server
    2017/01/24 15:24:42 [INFO] generate received request
    2017/01/24 15:24:42 [INFO] received CSR
    2017/01/24 15:24:42 [INFO] generating key: ecdsa-256
    2017/01/24 15:24:42 [INFO] encoded CSR
    2017/01/24 15:24:42 [INFO] signed certificate with serial number 696568760590259425976467472465542311375839466856
    2017/01/24 15:24:42 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").
    

    intermediate-signing-config.json:

    {
      "signing": {
        "default": {
          "expiry": "8760h"
        },
        "profiles": {
          "server": {
            "expiry": "8760h",
            "usages": [
              "signing",
              "key encipherment",
              "server auth"
            ]
          }
        }
      }
    }
    

    server.json

    {
      "CN": "example.net",
      "hosts": [
        "example.net",
        "www.example.net"
      ],
      "key": {
        "algo": "ecdsa",
        "size": 256
      },
      "names": [
        {
          "C": "US",
          "L": "CA",
          "ST": "San Francisco"
        }
      ]
    }
    

    Output of cfssl-certinfo -cert .\server.pem:

    {
      "subject": {
        "common_name": "example.net",
        "country": "US",
        "locality": "CA",
        "province": "San Francisco",
        "names": [
          "US",
          "San Francisco",
          "CA",
          "example.net"
        ]
      },
      "issuer": {
        "common_name": "My Intermediate CA"
        [Shortened]
      },
      "serial_number": "696568760590259425976467472465542311375839466856",
      "sans": [
        "example.net",
        "www.example.net"
      ],
      "not_before": "2017-01-24T14:20:00Z",
      "not_after": "2018-01-24T14:20:00Z",
      "sigalg": "ECDSAWithSHA256"
      [Shortened]
    }
    
    bug 
    opened by NKnusperer 13
  • steps in bootstrap.txt not working

    steps in bootstrap.txt not working

    Hi,

    I'm trying to setup an internal CA using CFSSL. Started experimenting. Followed bootstrap.txt, the build and install all went fine, I created a ca.json file, and ended up with a ca.pem and ca-key.pem file. I moved them into /etc/cfssl, but when I started cfssl server it throws a lot of errors starting with this:

    2016/03/29 09:58:23 [INFO] Initializing signer
    2016/03/29 09:58:23 [WARNING] couldn't initialize signer: {"code":2000,"message":"Unknown private key error"}
    2016/03/29 09:58:23 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
    2016/03/29 09:58:23 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint
    2016/03/29 09:58:23 [INFO] setting up key / CSR generator
    2016/03/29 09:58:23 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint
    2016/03/29 09:58:23 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized
    ... more like this ...
    
    documentation 
    opened by raarts 13
  • cfssl serve not reading certain JSON fields

    cfssl serve not reading certain JSON fields

    It looks like some of the fields in the JSON config (address, db-config, and aki at least) are not being read from JSON. I can set the address and db-config flags from the command line, but that's a bit less than ideal.

    I also tried setting the aki field using the -aki flag, but it isn't getting inserted into the certificates.authority_key_identifier column in MySQL, preventing certificate revocation. I assume it's not being read from the config file, but it could be a separate issue altogether.

    Edit: I should probably mention that this is compiled with go 1.8, the linux x86_64 package from golang.org/dl/

    Here are my setup steps:

    $ git clone https://github.com/cloudflare/cfssl.git $GOPATH/src/github.com/cloudflare/cfssl
    $ cd $GOPATH/src/github.com/cloudflare/cfssl/
    $ pushd cli/serve && rice embed-go && popd
    $ go get github.com/cloudflare/cfssl/cmd/cfssl
    $ go get github.com/cloudflare/cfssl/cmd/...
    $ cfssl serve -ca ca.pem -ca-key ca-key.pem -config config.json
    2017/03/29 14:40:45 [INFO] Initializing signer
    2017/03/29 14:40:45 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
    2017/03/29 14:40:45 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
    2017/03/29 14:40:45 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config)
    2017/03/29 14:40:45 [INFO] endpoint '/' is enabled
    2017/03/29 14:40:45 [INFO] setting up key / CSR generator
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
    2017/03/29 14:40:45 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/info' is enabled
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
    2017/03/29 14:40:45 [INFO] bundler API ready
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
    2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled
    2017/03/29 14:40:45 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config)
    2017/03/29 14:40:45 [INFO] Handler set up complete.
    2017/03/29 14:40:45 [INFO] Now listening on 127.0.0.1:8888
    

    This is the config I'm using:

    {
        "address": "10.x.x.x",
        "cafile": "/etc/cfssl/ca.pem",
        "cakeyfile": "/etc/cfssl/ca-key.pem",
        "tls-cert": "<removed>",
        "tls-key": "<removed>",
        "responder": "<removed>",
        "responder-key": "<removed>",
        "aki": "<removed>",
        "db-config": "/etc/cfssl/db-config.json",
        "signing": {
    	"profiles": {
                "server": {
                    "auth_key": "key1",
                    "expiry": "8760h",
                    "usages": [
                        "signing",
                        "key encipherment",
                        "server auth"
                    ]
                },
                "client": {
                    "auth_key": "key1",
                    "expiry": "8760h",
                    "usages": [
                        "signing",
                        "key encipherment",
                        "client auth"
                    ]
                }
            },
            "default": {
                "auth_key": "key1",
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth",
                    "server auth"
                ]
            }
        },
        "auth_keys": {
            "key1": {
                "type": "standard",
                "key": "<removed>"
            }
        }
    }
    
    opened by mikesmitty 12
  • SQL database backend support

    SQL database backend support

    Uses a hardcoded SQLite db.

    When a certificate is signed, it is recorded in the cert store.

    Later, the revoke tool can be used to revoke a certificate.

    cfssl ocspgen will generate a file of concatenated OCSP responses for all unexpired certificates in the cert store.

    I'm opening the PR to gather feedback on this very partial implementation and run CI tests

    opened by andrewbuss 12
  • enable https connection with endpoint CA and key provided

    enable https connection with endpoint CA and key provided

    Added tags "-tls-cert" and "-tls-key" for "cfssl serve" command. With a endpoint user's certificate and key (pem files) , the cfssl can be served on a secure HTTP protocol (HTTPS)

    using Go's default cipher suites , please comment if your browser supports other cipher suites thats not listed.

    TLS_RSA_WITH_RC4_128_SHA                
    TLS_RSA_WITH_3DES_EDE_CBC_SHA           
    TLS_RSA_WITH_AES_128_CBC_SHA            
    TLS_RSA_WITH_AES_256_CBC_SHA            
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA       
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA   
    TLS_ECDHE_RSA_WITH_RC4_128_SHA          
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA    
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    
    opened by codyli520 12
  • Rewrite/refactor SHA1 deprecation logic and fix tests.

    Rewrite/refactor SHA1 deprecation logic and fix tests.

    This is to fix the test issue blocking other pull requests. The initial static tests on bundler are showing their age and need to be improve/rewritten. This is the first step of this. And more will come.

    Summary of changes:

    • Revert the initial design of SHA1 deprecation policy being part of platform metadata because it makes metadata bloated. Instead, the platform metadata should only contain info on CA trust root stores and crypto support.
    • New design of SHA1 deprecation consideration
      • It's only about browsers.
      • It's currently only for warning purpose.
      • The list of SHA1 deprecated browsers are much more static than root certificate stores.
    • Create a new type called SHA1Deprecated to handle SHA1 deprecation warning.
    • Make it explicit that ubiquity scoring doesn't take SHA1 deprecation into account. Right now the weights of Chrome browsers in the original metadata file is encoded as 0. So this is a safe change. And the scoring can be changed later, in a more flexible way.
    • Hardcode the list of Chrome versions that would conditionally reject SHA1 certificate chain. And we can certainly add more in the future.
    • Rename function DeprecatedSHA1Platforms to DeprecatedSHA1Browsers
    • Make sure the tests about SHA1 deprecation warning is the same in bundler.
    • Switch from static tests of SHA1 deprecation warning to dynamic ones in bundler package.
    • improve test coverage in ubiquity package
    opened by lziest 12
  • Unable to sing CSR using the PKCS11 module

    Unable to sing CSR using the PKCS11 module

    Hello, i am trying to sing a csr using the PKCS11 module, so my command looks like this:

    cfssl sign -ca=/root/cfssl-pkcs11-ca/cacert.pem \
    -pkcs11-module="/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" \
    -pkcs11-label="SmartCard-HSM (UserPIN)" \
    -pkcs11-token="0" -pkcs11-pin="123456" \
    -config="/etc/cfssl/conf/ca-config.json" \
    -profile="intermediate-ca"  ca.csr > some_file
    

    It gives me this error: flag provided but not defined: -pkcs11-module The above information about the HSM is correctly and the module is the right one. Anyone got any ideea how should i do this?

    opened by razvan420 0
  • Unable run via Go install with Go 1.19

    Unable run via Go install with Go 1.19

    When using Go 1.19, you are unable to use cfssl if installed via go install

    docker run --rm -it golang:1.19.0 /bin/bash
    go install github.com/cloudflare/cfssl/cmd/[email protected]
    [email protected]:/go# cfssl --help
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x9303c6]
    
    goroutine 1 [running]:
    debug/elf.(*Section).ReadAt(0xc000124320?, {0xc0003e4c00?, 0x70?, 0x7f5f990acfff?}, 0x7f5f98ecc200?)
    	<autogenerated>:1 +0x26
    archive/zip.readDirectoryEnd({0xcad780, 0xc000173780}, 0x5c0)
    	/usr/local/go/src/archive/zip/reader.go:526 +0xf5
    archive/zip.(*Reader).init(0xc0003e21c0, {0xcad780?, 0xc000173780}, 0x5c0)
    	/usr/local/go/src/archive/zip/reader.go:97 +0x5c
    archive/zip.NewReader({0xcad780, 0xc000173780}, 0x5c0)
    	/usr/local/go/src/archive/zip/reader.go:90 +0x5e
    github.com/daaku/go%2ezipexe.zipExeReaderElf({0xcae5c0?, 0xc000014170}, 0x13a7298)
    	/go/pkg/mod/github.com/daaku/[email protected]/zipexe.go:128 +0x8b
    github.com/daaku/go%2ezipexe.NewReader({0xcae5c0, 0xc000014170}, 0x0?)
    	/go/pkg/mod/github.com/daaku/[email protected]/zipexe.go:48 +0x98
    github.com/daaku/go%2ezipexe.OpenCloser({0xc00003da70?, 0xc0001bbbe0?})
    	/go/pkg/mod/github.com/daaku/[email protected]/zipexe.go:30 +0x57
    github.com/GeertJohan/go%2erice.init.0()
    	/go/pkg/mod/github.com/!geert!johan/[email protected]/appended.go:42 +0x65
    

    This does not happen when cloning the repository & building the tools using make.

    opened by 56KBs 1
  • csr  hosts

    csr hosts

    I specified in the JSON file of the CA "server auth" and "client auth"

    image

    The "hosts" in the server's CSR file is left blank; I want this certificate to be used for both server and client, can i do this ?? image

    image

    opened by oison111 0
  • Linting is broken starting with Go 1.17+

    Linting is broken starting with Go 1.17+

    A change in x509.CreateCertificate released with Go 1.17 (https://go-review.googlesource.com/c/go/+/224157/) checks if the private key and the public key used for signing are matching.

    This is an issue when performing pre-issuance linting with cfssl, since the private key is randomly generated but the public key of the parent certificate is used. This means that the signing of the lintCertificate fails with x509: provided PrivateKey doesn't match parent's PublicKey.

    https://github.com/cloudflare/cfssl/blob/e6502bb7ffe4ee576227c9123a101deda248884c/signer/local/local.go#L168-L172

    Unfortunately, this breaks certificate signing when Linting is enabled. To fix this, it should be possible to copy the attributes of the parent certificate and generate a new matching keypair to sign the lintCertificate

    opened by mowirth 0
  • cfssl certinfo should be pipeable into cfssl genkey -

    cfssl certinfo should be pipeable into cfssl genkey -

    cfssl certinfo should be pipeable into cfssl genkey - to generate a new csr and key based off of a preexisting cert, csr or domain.

    i.e.

    cfssl certinfo -domain www.cloudflare.com | cfssl genkey -
    

    This would be useful for renewals.

    Currently, I end up with pretty much none of the data translating into the new csr/key

    • No subject
    • No san
    • No matching key algorithm
    1. cfssl certinfo doesn't provide full key details.

    i.e. no "key": { "algo": "rsa", "size": 2048 } or equivalent

    1. cfssl certinfo and cfssl genkey don't represent data the same way, nor does cfssl genkey seem to alias or understand cfssl certinfo data.

    i.e. cfssl certinfo .sans vs cfssl genkey - .hosts cfssl certinfo .subject (and sub-key names) vs cfssl genkey .names (and sub-key names)

    opened by mrnetops 1
  • Is Possible to Use Passwords for Root CA Key?

    Is Possible to Use Passwords for Root CA Key?

    I understand that the idea with this is to have it behind some protected service, but it would be useful to be able to use encrypted keys (i.e. keys with passwords) for cli only usage. At the moment, trying to use such a key yields:

    2022/03/11 15:29:06 [INFO] re-generate a CA certificate from CSR and CA key
    2022/03/11 15:29:06 [ERROR] {"code":2100,"message":"Private key is encrypted."}
    {"code":2100,"message":"Private key is encrypted."}
    
    opened by afrazkhan 0
Releases(v1.6.1)
Http-server - A HTTP server and can be accessed via TLS and non-TLS mode

Application server.go runs a HTTP/HTTPS server on the port 9090. It gives you 4

Vedant Pareek 0 Feb 3, 2022
Transparent TLS and HTTP proxy serve and operate on all 65535 ports, with domain regex whitelist and rest api control

goshkan Transparent TLS and HTTP proxy serve & operating on all 65535 ports, with domain regex whitelist and rest api control tls and http on same por

Sina Ghaderi 10 Aug 2, 2022
Monitors the expiry time of tls certificates and exports prometheus metrics

Certificate Monitor Monitors the expiry time of tls certificates and exports prometheus metrics. Target domains can be automatically discovered via in

appvia 3 Feb 7, 2022
Toy TLS certificate viewer

veilig Toy tls certificate viewer that I built because openssl s_client confuses me Source available at: https://github.com/noqqe/veilig/ Please repor

Florian Baumann 9 Aug 25, 2021
Mutual TLS encryption TCP proxy with golang

mtls-tcp-proxy Mutual Authentication TLS encryption TCP proxy with golang Why? I created this because of sometimes, it is not possible for us to estab

Habibie Faried 2 Jul 23, 2022
Fork of Go stdlib's net/http that works with alternative TLS libraries like refraction-networking/utls.

github.com/ooni/oohttp This repository contains a fork of Go's standard library net/http package including patches to allow using this HTTP code with

Open Observatory of Network Interference (OONI) 26 Jul 22, 2022
High-performance, non-blocking, event-driven, easy-to-use networking framework written in Go, support tls/http1.x/websocket.

High-performance, non-blocking, event-driven, easy-to-use networking framework written in Go, support tls/http1.x/websocket.

lesismal 734 Aug 5, 2022
node api for proxying requests with golang to spoof tls fingerprint

WIP NOT BUILT WONT WORK AS IS gotTLS A node websocket api version of https://github.com/Carcraftz/TLS-Fingerprint-API to spoof TLS fingerprint to prev

evade 3 Sep 28, 2021
go HTTP client that makes it plain simple to configure TLS, basic auth, retries on specific errors, keep-alive connections, logging, timeouts etc.

goat Goat, is an HTTP client built on top of a standard Go http package, that is extremely easy to configure; no googling required. The idea is simila

VSPAZ 1 Jun 25, 2022
Using Wireshark to decrypt TLS gRPC Client-Server protobuf messages

Using Wireshark to decrypt TLS gRPC Client-Server protobuf messages Sample client server in golang that demonstrates how to decode protobuf messages f

null 3 Nov 24, 2021
Fix Burp Suite's horrible TLS stack & spoof any browser fingerprint

Awesome TLS This extension hijacks Burp's HTTP and TLS stack to make it more powerful and less prone to fingerprinting by all kinds of WAFs. It does t

Sleeyax 61 Jul 29, 2022
httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

Features • Installation • Usage • Running httpx • Notes • Join Discord httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers us

ProjectDiscovery 3.5k Aug 5, 2022
Hetty is an HTTP toolkit for security research.

Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful

David Stotijn 4.6k Aug 6, 2022
Packiffer is a lightweight cross-platform networking toolkit that let you sniff/analyze/inject/filter packets.

Packiffer is a lightweight cross-platform networking toolkit that let you sniff/analyze/inject/filter packets.

Massoud Asadi 60 Jul 30, 2022
A golang library about socks5, supports all socks5 commands. That Provides server and client and easy to use. Compatible with socks4 and socks4a.

socks5 This is a Golang implementation of the Socks5 protocol library. To see in this SOCKS Protocol Version 5. This library is also compatible with S

chenhao zhang 40 Jul 4, 2022
Tapestry is an underlying distributed object location and retrieval system (DOLR) which can be used to store and locate objects. This distributed system provides an interface for storing and retrieving key-value pairs.

Tapestry This project implements Tapestry, an underlying distributed object location and retrieval system (DOLR) which can be used to store and locate

Han Cai 1 Mar 16, 2022
A Go package for sending and receiving ethernet frames. Currently supporting Linux, Freebsd, and OS X.

ether ether is a go package for sending and receiving ethernet frames. Currently supported platform: BPF based OS X FreeBSD AF_PACKET based Linux Docu

Song Gao 77 Jun 20, 2022
Package ethernet implements marshaling and unmarshaling of IEEE 802.3 Ethernet II frames and IEEE 802.1Q VLAN tags. MIT Licensed.

ethernet Package ethernet implements marshaling and unmarshaling of IEEE 802.3 Ethernet II frames and IEEE 802.1Q VLAN tags. MIT Licensed. For more in

Matt Layher 242 Jul 17, 2022