Master cfssl: Step‑by‑Step Guide to Generate Self‑Signed Certificates on Linux

Overview

CFSSL (CloudFlare's PKI and TLS toolkit) is an open‑source Go tool for certificate signing, verification and management. It supports generating client, server and peer certificates.

Basic Concepts of Certificate Generation

CA (Certificate Authority)

CA is the trust anchor of PKI, responsible for signing certificates, distributing trust via a root CA, and managing certificate lifecycle (issuance, renewal, revocation, status checking).

Root CA – self‑signed, stored offline, rarely signs end‑entity certificates.

Intermediate CA – signed by root, handles signing workload; compromise limits impact.

End‑entity CA – directly signs server/client certificates.

Security best practices: hierarchical design, offline storage of root private key, rotate intermediate CAs every 3‑5 years.

CSR (Certificate Signing Request)

A CSR contains the public key, identity information (CN, O, etc.) and extensions such as SAN. The private key must remain confidential and the domain names must match the server.

Certificate Configuration File

CFSSL uses JSON files (e.g., ca-config.json) to define signing policies, validity periods and usages.

Installing cfssl on Linux

curl -L -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -L -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -L -o /usr/local/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /usr/local/bin/cfssl*

cfssl gencert Command Details

Core Parameters

-ca [path] – path to CA certificate (PEM).

-ca-key [path] – path to CA private key.

-config [path] – JSON signing profile.

-profile [name] – selects a profile such as server, client, peer, ca, kubernetes.

-hostname [list] – SAN entries (domains, IPs).

-cn [name] – Common Name.

-key-algo [algo] – rsa or ecdsa (default rsa).

-key-size [bits] – key length (RSA ≥2048, ECDSA ≥256).

-initca – generate a self‑signed root CA.

-self-signed – generate a self‑signed non‑CA certificate.

Practical: Generating Certificates

Root CA

Create ca-config.json and ca-csr.json (example shown) then run:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

This produces ca.pem, ca-key.pem and ca.csr.

Intermediate CA

Define intermediate-csr.json and run:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=ca intermediate-csr.json | cfssljson -bare intermediate

Outputs intermediate.pem and intermediate-key.pem.

Server Certificate

Define server-csr.json with desired hosts, then sign with the intermediate CA:

cfssl gencert -ca=intermediate/intermediate.pem -ca-key=intermediate/intermediate-key.pem -config=ca-config.json -profile=server server-csr.json | cfssljson -bare server

Generates server.pem and server-key.pem, ready for Nginx configuration.

Client Certificate

cfssl gencert -ca=intermediate/intermediate.pem -ca-key=intermediate/intermediate-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client

Kubernetes Certificates

Example CSR for the API server includes service IPs and DNS names. Sign with the intermediate CA using the kubernetes profile:

cfssl gencert -ca=intermediate/intermediate.pem -ca-key=intermediate/intermediate-key.pem -config=ca-config.json -profile=kubernetes k8s-apiserver-csr.json | cfssljson -bare api-server