cfssl | CFSSL : Cloudflare 's PKI and TLS toolkit | TLS library
kandi X-RAY | cfssl Summary
kandi X-RAY | cfssl Summary
CFSSL: Cloudflare's PKI and TLS toolkit
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of cfssl
cfssl Key Features
cfssl Examples and Code Snippets
Community Discussions
Trending Discussions on cfssl
QUESTION
It's slightly embarrassing to ask this, but here it goes: What's the difference between generating public/private keys via ssh-keygen
and cfssl
?
I've successfully used ssh-keygen
to create pub/private key credentials that can be used to ssh into a server. I've also successfully used cfssl
to create a private key & certificate for a web site. However, I can't seem to figure out how to use cfssl
to do what ssh-keygen
does.
Since they both can be used to generate public/private RSA 4096 keys, it seems as if they could be used interchangeably. Unfortunately, no matter how many different combinations I try, or how much I search the interwebs, I can't seem to find a working example.
I'm starting to think that there's something I fundamentally don't understand regarding each tool's approach to encryption.
People of stackoverflow land... have mercy on me, and please point out the error of my ways. Your help is truly appreciated.
...ANSWER
Answered 2021-Apr-10 at 19:33No, these two types of keys aren't interchangeable. RSA is an algorithm for encryption and digital signatures. It is used in both TLS (for web sites) and SSH, but those two protocols, while they both support RSA keys, use the algorithm differently.
A protocol specifies a (hopefully secure) technique for using standard algorithms and protecting data with it, and there are many secure ways to use RSA to sign data, which differ based on the protocol. Similarly, both TLS and SSH can use AES-GCM to encrypt and authenticate data, but they will use it differently.
Moreover, even if you could generate keys for one with the other, you generally don't want to reuse keys for different purposes. That's because in some cases, an attacker can capture a valid message in one protocol and use it in the other protocol to impersonate the legitimate party.
Do note that the private key formats typically used by OpenSSH and TLS implementations are often the same, but the public key formats are not. An SSH public key is going to look totally different than an X.509 public key used with TLS.
If you need to create keys for use with SSH, you should use ssh-keygen
, and if you need to create a key for use with your web server or another TLS server, use a tool for that, like openssl
or cfssl
.
QUESTION
I have been working on an installation of OKD on an air-gapped environment. The first major step has been mirroring the OKD images so that they can be moved over to the new environment and pulled locally. I've been following a combination of the OpenShift documentation and this article, as well as this resource for getting my certificates set up. I have been making slow but consistent progress.
However, I am now having trouble when attempting to actually mirror the files using
...ANSWER
Answered 2020-Nov-10 at 17:00It has been determined that the OKD documentation is inaccurate at the time that I am posting this answer, and was instructing readers to pull from the OCP image repository rather than the OKD repository, which apparently requires additional credentials. A bug has been logged and the documentation will hopefully be updated soon.
The correct environment variables and full command to mirror the images are as follows:
QUESTION
I'm working on creating a local image registry for an OKD installation by following along with this Medium article which assumes the creation of
the self-sign CA, server certificate with both the short and fully qualified hostname of this VM
It calls for
the CA cert, server cert, server key saved as
myca.pem
,registry.pem
,registry-key.pem
I'm pretty new to certs so I was following the guidance of this article and using cfssl (as recommended by the former article) for generating those. I've gotten through generating and signing the "Intermediate CA". I'm a little unclear on where and how to generate the specific certs the former article requires. I'd really appreciate some clarifications or guidance, if possible, on the following issues.
I believe the
ca.pem
generated in the first "CA Authority" process in the latter article is the equivalent of themyca.pem
file mentioned in the former article, but with a different name. Is this the case?I am unclear where exactly the
registry.pem
andregistry-key.pem
files are generated. Are these just certificates generated using the "server" profile and assigned the name "registry"? Are they a completely separate profile I should be adding to thecfssl.json
file? Are they neither?In whichever case, are there any additional usages I need in the
cfssl.json
file or additional config files I need to create in order for it to be suitable for an image registry? Do I still need to create the additional "host certificate config file" mentioned in the latter article?
I have tried absorbing as much information about ssl certificates as I could but so far I am unfortunately not finding anything that clears up the specific questions I have. I am sure this is probably simpler than I realize, so any help clarifying what's needed here would be profoundly appreciated. Thanks very much.
...ANSWER
Answered 2020-Nov-02 at 15:07I was able to figure this all out. Here are the answers to my three questions:
This was the correct assumption.
These are generated using the "server" profile and given whichever name I choose.
I had to create the additional host certificate config file and point the CN in that file to my local fully qualified domain name. This config file was then used as an argument for generating the certificates.
QUESTION
I'd like to write a unit test for an HTTP handler which extracts certain information from a device's certificate. I've found this gist, https://gist.github.com/ncw/9253562, which uses openssl
to generate the certificates and simply reads the resulting files in its client.go
and server.go
. To make things a bit more transparent, however, I'd like to generate the certificates using Go's standard library.
Here is my attempt so far at the unit test (available at https://github.com/kurtpeek/client-auth-test):
...ANSWER
Answered 2020-Apr-07 at 00:24Looking a bit more closely at ncw
's gist, I noticed that one key difference was the setting of the InsecureSkipVerify
option in the client's TLS config to true
. I added this, so
QUESTION
I am running kubernetes cluster with multi master (3 master nodes) with HA Proxy and also I am Using external etcd in this projects for ssl generate I'm using cfssl (cloudflare)
I Create etcd service in each master node
...ANSWER
Answered 2020-Feb-09 at 13:49For flannel to work correctly, you must pass --pod-network-cidr=10.244.0.0/16 to kubeadm init.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install cfssl
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page