HowtoForge

Integration of CFSSL with the Lemur Certificate Manager

Author: Ahmad

In the previous article on Lemur certificate manager, we have not used any third party root Certification Authority (CA) for the client certificates. Therefore, in this tutorial, PKI will be set up using CFSSL (Cloudflare's SSL) and integrated with the Lemur project. Currently, there is no document which helps the user to integrate CFSSL with the Lemur setup. 

Note: As we are using CFSSL as a 3rd party root authority, so first we have to setup it on a separate machine ( however we set up it on the same Lemur box) and after that change the lemur conf file to use CFSSL for the signing the certificate. 

Installing CFSSL

The CloudFlare SSL  is implemented using "Go" programming language so installation of "go" package is required on the machine. The following command will install the required package on the machine.

1. Install Go 

The Go package will be installed from source code. 

wget https://dl.google.com/go/go1.10.1.linux-amd64.tar.gz 

Extract the downloaded archive and install it to the desired location on the system. We are installing it under /usr/local directory. You can also put this under the desired location on the system.

tar -xzvf go1.10.1.linux-amd64.tar.gz
mv go /usr/local

After the installation of the Go package, it is also required to set an environment variable for the Go binary. (You can add it in the user profile so make it permanent setting). Commonly you need to set 3 environment variables as GOROOT, GOPATH and PATH.

GOROOT is the location where Go package is installed on your system.

export GOROOT=/usr/local/go

GOPATH is the location of your work directory.

export GOPATH=$HOME/go

Now set the PATH variable to access go binary system-wide.

export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

2. Test Go command

Now type "go" command in the terminal. It will show the output like the following screenshot.

go

3. Install CFSSL

We have to install CFSSL on this Ubuntu platform. When the required environment variables for GO are set properly, then CFSSL installation process will be easy.

a. The following command will download the CFSSL utility and build it in the $GOPATH/bin/ path.

go get -u github.com/cloudflare/cfssl/cmd/cfssl

b. The following command will install the json plugin of CFSSL package.It is required because CFSSL handles JSON requests.

 go get -u github.com/cloudflare/cfssl/cmd/cfssljson

c. simply install all of the programs of CFSSL using below given command. This command will download, build, and install all of the utility programs (including cfssl, cfssljson, and mkbundle among others) into the $GOPATH/bin/ directory.

go get -u github.com/cloudflare/cfssl/cmd/...

As shown below, Run "cfssl" command in the terminal and it will show all the operation supported by the CFSSL PKI.

CFSSL's PKI Setup

Now, cfssl application will be used to setup PKI for the Lemur project.  The configuration files "CSR_configuration" and "signing_configuration" are important in CFSSL setup. The "CSR" configuration file contains the configuration for the key pair you’re about to create and the "Signing" configuration as the name goes, sets up the configuration rules.

Create ROOT CA

For the root CA, check the following CSR configuration file (which we’ll call csr_ROOT_CA.json):

 {
 "CN": "MY-ROOT-CA",
 "key": {
    "algo": "ecdsa",
    "size": 256
 },
 "names": [
 {
    "C": "UK",
    "L": "London",
    "O": "My Organisation",
    "OU": "My Organisational Unit Inside My Organisation"
 }
 ],
 "ca": {
    "expiry": "262800h"
 }
}

A brief explanation of the different fields is given below.

Now, run the following command to actually create the Root CA for the Lemur.

cfssl gencert -initca csr_ROOT_CA.json | cfssljson -bare root_ca

The above command will create the following files on the machine.

The Root CA is self-signed, so move on to the next step for the generation of an intermediate CA.

Intermediate CA

The generation of Intermediate CA is not mandatory but corresponds to a best practice. The end goal of having an intermediate CA, is to have an intermediate step in terms of security. Usually. the Root CA key is kept in an offline machine, and only used when you need to sign an intermediate CA certificate.

The configuration file "csr_INTERMEDIATE_CA.json" is required to create an intermediate CA.

{
 "CN": "My-Intermediate-CA",
 "key": {
    "algo": "ecdsa",
    "size": 256
 },
 "names": [
 {
    "C": "UK",
    "L": "London",
    "O": "My Organisation",
    "OU": "My Organisational Unit Inside My Organisation"
 }
 ],
 "ca": {
    "expiry": "42720h"
 }
}

The "root_to_intermediate_ca.json" file contains the Root CA signing configuration.

{ 
"signing": {
 "default": {
 "usages": ["digital signature","cert sign","crl sign","signing"],
 "expiry": "262800h",
 "ca_constraint": {"is_ca": true, "max_path_len":0, "max_path_len_zero": true}
 }
 }
}

This file contains the most relevant parameters for a certificate.

The following command will create an Intermediate CA against the above-mentioned configuration.

cfssl gencert -initca csr_INTERMEDIATE_CA.json | cfssljson -bare intermediate_ca

The above command will create the following files of the Intermediate CA.

The following command shows the signing of Intermediate CA certificate by the Root CA.

cfssl sign -ca root_ca.pem -ca-key root_ca-key.pem -config root_to_intermediate_ca.json intermediate_ca.csr | cfssljson -bare intermediate_ca

The above command will sign the intermediate_ca.pem file. Now the setting of the Root and Intermediate CA is complete. It is important to keep Root CA Keys and configurations files safe and secure. Next step is to create a certificate for client device or customer. Here, we will integrate the CFSSL setup with the Lemur project and the client's certificate will be generated. 

Run CFSSL's PKI

To run the CFSSL based PKI, go inside the certs directory and run following command.

cfssl serve -address 192.168.10.151 -ca root_ca.pem -ca-key root_ca-key.pem -port 8888

The output of the above command will be following. 

root@test-vm:/home/john/Desktop/certs# cfssl serve -address 192.168.10.151 -ca root_ca.pem -ca-key root_ca-key.pem -port 8888
2018/05/20 16:35:18 [INFO] Initializing signer
2018/05/20 16:35:19 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
2018/05/20 16:35:19 [INFO] endpoint '/' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config)
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config)
2018/05/20 16:35:19 [INFO] bundler API ready
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2018/05/20 16:35:19 [INFO] setting up key / CSR generator
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
2018/05/20 16:35:19 [WARNING] endpoint 'authsign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
2018/05/20 16:35:19 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2018/05/20 16:35:19 [INFO] Handler set up complete.
2018/05/20 16:35:19 [INFO] Now listening on 192.168.10.151:8888

The ip address of the machine is 192.168.10.151 and port is 8888. Allow this port in the firewall to use the CFSSL.

NOTE: The following command is just guiding to use the cfssl utility.

{ cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
 [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
 [-metadata file] [-remote remote_host] [-config config] \
 [-responder cert] [-responder-key key] [-db-config db-config] }

Now, the configuration of the CFSSL is complete and it is running on the machine. The next step is the integration of CFSSL with Lemur.

Lemur configuration for CFSSL's PKI

Now, the configuration file "lemur.conf.py" of the Lemur will be modified ( such as URL, ROOT, and Intermediate keys). The configuration file will include the information about the CFSSL. The path of the lemur configuration file is  "/home/lemur/.lemur/lemur.conf.py".

CFSSL_URL ="http://192.168.10.151:8888"
CFSSL_ROOT ="""-----BEGIN CERTIFICATE-----
MIICcjCCAhegAwIBAgIUahfYPc4RpK92G1ZHhu3q9URvf+8wCgYIKoZIzj0EAwIw
9UmEM4IEd2j8/w4WdTYaBE5EzwIhAN3oW9iAmjcyzC/7BPIY/Sr+twig/+XwnQ8T
hKXP2OHd
-----END CERTIFICATE-----"""
CFSSL_INTERMEDIATE ="""-----BEGIN CERTIFICATE-----
MIICfDCCAiKgAwIBAgIUEeb8Duel8wySG61vCM2UEUD15XQwCgYIKoZIzj0EAwIw
qM9lE82tku/b6SMxAlBByQ==
-----END CERTIFICATE-----"""

Now, run the "lemur start" command to use the lemur.conf.py with CFSSL setting.

Create certificates using CFSSL

By following our previous article on the Lemur, access the dashboard to create client Certificates using Root CA of CFSSL. First of all, create new Certification Authority and select plugin CFSSL as Root CA. 

1. setting different parameters of the new authority.

2. select newly setup CFSSL Plugin as a Root CA.

After setting up the new Certification Authority in the Lemur, the next step is to generate a certificate using the newly setup CFSSL plugin.

Integration of CFSSL with the Lemur Certificate Manager