尝试通过CFSSL(multirootca)使用经过身份验证的远程签名

时间:2019-06-21 14:30:09

标签: openssl ssl-certificate

我正在尝试通过将multirootca作为CA签名服务器并使用CFSSL客户端进行令牌认证来使用CFSSL获得经过身份验证的远程签名。

在CA服务器上,我的CA签名配置(ca-signing-config.json)是:

{
"auth_keys": {
    "pri-auth": {
        "type": "standard",
        "key": "0123456789ABCDEF0123456789ABCDEF"
    }
},
"signing": {
    "default": {
        "usages": [
            "digital signature"
        ],
        "expiry": "52608h"
    },
    "profiles": {
        "primary": {
            "auth_key": "pri-auth",
            "usages": [
                "signing",
                "digital signature",
                "key encipherment",
                "server auth",
                "client auth"
            ],
            "expiry": "52608h"
        }
    }
}
}

我的multirootca.conf是:

[primary]
private = file://primary-key.pem
certificate = primary-cert.pem
config = ca-signing-config.json

我正在使用以下方式启动multirootca:

multirootca -a "127.0.0.1:8888" -l primary -roots multirootca.conf

然后从客户端(在我的测试中在同一台计算机上运行):

client-config.json:

{           
"auth_keys" : {
   "pri-auth" : {
      "type" : "standard",
      "key" : "0123456789ABCDEF0123456789ABCDEF"
   }
},
"signing" : {
   "default" : {
      "auth_remote" : {
         "remote" : "pri-server",
         "auth_key" : "pri-auth"
      }
   }
},
"remotes" : {
   "pri-server" : "localhost:8888"
}
}

client.csr:

{
"CN": "my.test",
"Hosts": [
    "my.test"
],
"key": {
    "algo": "ecdsa",
    "size": 384
},
"names": [
    {
        "C": "US",
        "S": "Hawaii",
        "O": "Test, Inc.",
        "OU": "Test Group"
    }
]
}

cfssl sign命令:

cfssl sign -config client-config.json -csr client.csr | cfssljson -bare client-output

问题在于服务器表示客户端正在发送未经身份验证的请求(尽管它在正确的端点/ authsign处)。

服务器输出:

2019/06/21 07:22:45 [ERROR] [HTTP 401] 1 - authorisation required (received unauthenticated request)
POST /api/v1/cfssl/authsign HTTP/1.1
Host: localhost:8888
Connection: close
Accept-Encoding: gzip
Connection: close
Content-Length: 1196
Content-Type: application/json
User-Agent: Go-http-client/1.1

客户端输出:

[ERROR] http error with http://localhost:8888/api/v1/cfssl/authsign
{"code":7400,"message":"{\"success\":false,\"result\":null,\"errors\":[{\"code\":1,\"message\":\"authorisation required\"}],\"messages\":[]}\n"}
Failed to parse input: unexpected end of JSON input

有什么想法我在做什么错吗?

谢谢!

1 个答案:

答案 0 :(得分:0)

看起来您距离很近。一旦您的multirootca启动并运行,您应该能够使用cfssl gencert来生成私钥并使用CA进行签名:

cfssl gencert -config=client-config.json -hostname=my.test -profile=primary client.csr | cfssljson -bare my.test
相关问题
最新问题