Hi CFSSL Team,
First of all CFSSL is a lovely piece of software. Thank you so much for building and open sourcing it.
To start an API server and let it handle signing using intermediate certificate we first need
Create a self signed root ca using CLI cfssl gencert -initca
Create an intermediate ca using cli which is signed by root ca
Start api server with cfssl serve -ca and -ca-key option of the intermediate certificate along with a db config option.(I am using postgresql for my setup.)
Post which all certificates created using the api will store the cert details without private key in the postgresdb. This will enable us to call revoke on those certificates.
Since Root and IntermediateCA themselves were created using cli they were not added to the DB. What is the right way to setup so that intermediateCAs can be revoked as well in case of a breach since intermediate pem and keys are on the server and not air gapped like root ca?
One approach is
create root ca
start api server with root ca
call /api/v1/cfssl/newcert api with profile of intermediate CA
stop api server and then start apiserver with intermediate ca as -ca and -ca-key options.
Hi CFSSL Team, First of all CFSSL is a lovely piece of software. Thank you so much for building and open sourcing it.
To start an API server and let it handle signing using intermediate certificate we first need
Post which all certificates created using the api will store the cert details without private key in the postgresdb. This will enable us to call revoke on those certificates.
Since Root and IntermediateCA themselves were created using cli they were not added to the DB. What is the right way to setup so that intermediateCAs can be revoked as well in case of a breach since intermediate pem and keys are on the server and not air gapped like root ca?
One approach is
Is this the correct way to do it?