cfssl for intermediates
• Mark Eschbach
Yesterday I got stuck on building a reasonable structure for an intermediate CA. Traditional structures in my sphere for CAs have been:
- Root with an expiry in ~10 years.
- Services intermediate expiring in ~5 years. This is intended to sign the services certificates which will expire every year. This certificate should be replaced every two to three years.
- Client intermediate expiring in ~5 years. Arguably these should be short lived based on the target environments.
For the services certificates I would like to deploy them to a Vault instance for the target environment. This allow for rapid issuance of the certificates. I’ll worry about core OSCP after I prove I can get this arc done.
Looking at Certificate Authority with CFSSL by Johannes Tegnér looks promising and repeatable. Building off Johannes Tegnér work let us see if we can create a repository to create a reusable script to build my standard PKI setup.
Apparently the NodeJS setups I have do not support ECDSA for clients and servers.
I have posted the example.