{"id":5305,"date":"2018-07-09T16:30:57","date_gmt":"2018-07-09T12:30:57","guid":{"rendered":"https:\/\/www.howtoforge.com\/tutorial\/integration-of-cfssl-with-the-lemur-certificate-manager\/"},"modified":"2018-07-09T16:30:57","modified_gmt":"2018-07-09T12:30:57","slug":"integration-of-cfssl-with-the-lemur-certificate-manager","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/integration-of-cfssl-with-the-lemur-certificate-manager\/","title":{"rendered":"Integration of CFSSL with the Lemur Certificate Manager"},"content":{"rendered":"

In the\u00a0previous article on Lemur<\/a> certificate manager, we have not used any third party root Certification Authority (CA) for the client certificates. Therefore, in this tutorial, PKI will be set up using CFSSL (Cloudflare’s SSL) and integrated with the Lemur project. Currently, there is no document which helps the user to integrate CFSSL with the Lemur setup.\u00a0<\/p>\n

Note: As we are using CFSSL as a 3rd party root authority, so first we have to setup it on a separate machine ( however we set up it on the same Lemur box)\u00a0and after that change the lemur conf file to use CFSSL for the signing the certificate.\u00a0<\/p>\n

Installing CFSSL<\/h2>\n

The CloudFlare SSL\u00a0 is implemented using “Go” programming language so installation of “go” package is required on the machine. The following command will install the required package on the machine.<\/p>\n

1. Install Go\u00a0<\/h3>\n

The Go package will be installed from source code.\u00a0<\/p>\n

wget https:\/\/dl.google.com\/go\/go1.10.1.linux-amd64.tar.gz\u00a0<\/dprompt><\/p>\n

\"Install<\/a><\/span><\/p>\n

Extract the downloaded archive and install it to the desired location on the system. We are installing it under \/usr\/local directory. You can also put this under the desired location on the system.<\/span><\/p>\n

tar -xzvf go1.10.1.linux-amd64.tar.gz<\/dprompt><\/p>\n

mv go \/usr\/local<\/dprompt><\/dprompt><\/p>\n

\"Unpack<\/a><\/p>\n

After the installation of the Go package, it is also required to set an environment variable for the Go binary. (You can add it in the user profile so make it permanent setting).\u00a0Commonly you need to set 3 environment variables as\u00a0<\/span>GOROOT<\/strong>,\u00a0<\/span><\/span>GOPATH<\/strong>\u00a0<\/span>and\u00a0<\/span><\/span>PATH<\/strong>.<\/span><\/p>\n

GOROOT<\/strong>\u00a0<\/span>is the location where Go package is installed on your system.<\/p>\n

export GOROOT=\/usr\/local\/go<\/dprompt><\/p>\n

GOPATH<\/strong>\u00a0<\/span>is the location of your work directory.<\/span><\/p>\n

export GOPATH=$HOME\/go<\/p>\n

Now set the\u00a0<\/span>PATH<\/strong>\u00a0<\/span>variable to access go binary system-wide.<\/p>\n

export PATH=$PATH:$GOROOT\/bin:$GOPATH\/bin<\/p>\n

\"Set<\/a><\/p>\n

2. Test Go command<\/h3>\n

Now type “go” command in the terminal. It will show the output like the following screenshot.<\/p>\n

go
\n<\/pre>\n
\"Test<\/a><\/p>\n
3. Install CFSSL<\/h3>\n
We have to install CFSSL on this Ubuntu platform. When the required environment variables for GO are set properly, then CFSSL installation process will be easy.<\/p>\n
a. The following command will download the CFSSL utility and build it in the $GOPATH\/bin\/ path.<\/p>\n
go get -u github.com\/cloudflare\/cfssl\/cmd\/cfssl<\/p>\n
b. The following command will install the json plugin of CFSSL package.It is required because CFSSL handles JSON requests.<\/p>\n
\u00a0go get -u github.com\/cloudflare\/cfssl\/cmd\/cfssljson<\/p>\n
c. simply install all of the programs of CFSSL using below given command. This command will download, build, and install all of the utility programs (including cfssl, cfssljson, and mkbundle among others) into the $GOPATH\/bin\/ directory.<\/p>\n
go get -u github.com\/cloudflare\/cfssl\/cmd\/…<\/p>\n
\"Install<\/a><\/h2>\n
As shown below, Run “cfssl” command in the terminal and it will show all the operation supported by the CFSSL PKI.<\/p>\n
\"Run<\/a><\/p>\n
CFSSL’s PKI Setup<\/h2>\n
Now, cfssl application will be used to setup PKI for the Lemur project.\u00a0 The configuration files “CSR_configuration” and “signing_configuration” are important in CFSSL setup. The “CSR” configuration file contains the configuration for the key pair you\u2019re about to create and the “Signing” configuration as the name goes, sets up the configuration rules.<\/p>\n
Create ROOT CA<\/h3>\n
For the root CA, check the following\u00a0CSR configuration file (which we\u2019ll call\u00a0csr_ROOT_CA.json):<\/p>\n