Show Bookstore Categories

A full-featured PKI with Cloudflare’s PKI and TLS Toolkit

A full-featured PKI with Cloudflare’s PKI and TLS Toolkit

ByMarco Antonio Carcano

This is probably the first and unique book on Cloudflare's PKI and TLS Toolkit: these are freely available tools developed by Cloudflare that can be used as a building block for spin up a full-featured Public Key Infrastructure, providing not only CRL and OCSP endpoints, but also Registration Authority endpoints that can be used for automated certificate issuing (it supports both PEM encoded as well as JSON formatted Certificate Signing Requests). The software is designed for horizontal scaling, exploiting a SQL database – the book shows how to deal with PostgreSQL. Certmgr instead is the client side agent that can be set up on servers providing TLS secured services to automate the certificate enrollment and renewals. They are both open source, available on Github. Cloudflare’s PKI and TLS Toolkit is very often mentioned in Kubernetes documentation (they refer to it as “cfssl”) as the tool to implement the Kubernetes Certificate Authority. The book is structured to gradually introduce the reader to both those very good pieces of software, explaining how to download and install the pre-built binaries, how to build them from sources and even how to add features to cfssl and rebuild it as a custom version. Everything is explained in a very easy way, explaining how to set up a tidy and clean structure for both the software and its settings, enabling smooth upgrades and downgrades as necessary. The example lab enables the reader to set up a dual layer with multiple security tiers Public Key Infrastructure with a Root CA and an Intermediate CA. They both have a dedicated mutual-TLS protected Registration Authority endpoint and OCSP responder. In addition to that, a multi-CA Registration Authority compatible with certmgr is provided, along with a web service for publishing the CA’s certificates, Certificate Revocation Lists (CRL) and Certification Practice Statements (CPS). The certificates issued by the PKI are properly structured, providing information about the Certificate Distribution Point, and the OCSP, CRL and CPS URIs. The book explains how to deal with validating certificates using OCSP and CRLs, as well as how to revoke the issued certificates if necessary. It is explained how to install and set up certmgr, and also how to set up a mutual-TLS protected Apache server. Last but not least, a chapter explains how to deal with the PostgreSQL database common use cases, such as extracting a certificate from the database into a file and vice versa

Details

Publication Date
Feb 23, 2024
Language
English
Category
Computers & Technology
Copyright
All Rights Reserved - Standard Copyright License
Contributors
By (author): Marco Antonio Carcano

Specifications

Format
PDF

Ratings & Reviews