CFSSL 1.1The evolution of a PKI toolkit

Nick Sullivan @grittygrease August 7, 2015

PEOPLE ARE LAZY

2

PGP is hard

3

PGP is hard

4

5

6

Who was not using HTTPS (December 2014)?

7

Who is not using HTTPS (August 2015)?

🔒 🔒

🔒

8

9

11

12

13

Where are my keys?

14

Railgun

Let’s write a CA server ourselves! — In Go!

16

Why Go?

• Robust X.509 library

• JSON API support

• Fun!

PKI this shiz

18

PKI the whole internal infrastructure

Certificate Errors

20

21

👍

23

Other people started using it!• 750+ stars on Github

• Warning: unconfirmed list

24

Announcing… CFSSL 1.1• New features added since 1.0

• PKCS #11 HSM support

• Multi-root CA

• OCSP Server

• Remote mode with authentication and high availability

• Web UI

25

Full List of changes• ADDED:

• Revocation now checks OCSP status.

• Authenticated endpoints are now supported using HMAC tags.

• Bundle can verify certificates against a domain or IP.

• OCSP subcommand has been added.

• PKCS #11 keys are now supported; this support is now the default.

• OCSP serving is now implemented.

• The multirootca tool is now available for multiple signing keys via an authenticated API.

• A scan utility for checking the quality of a server's TLS configuration.

• The certificate bundler now supports PKCS #7 and PKCS #12.

• An info endpoint has been added to retrieve the signers’ certificates.

• Signers can now use a serial sequence number for certificate serial numbers; the default remains randomised serial numbers.

• CSR whitelisting allows the signer to explicitly distrust certain fields in a CSR.

• Signing profiles can include certificate policies and their qualifiers.

• The multirootca can use Red October-secured private keys.

• The multirootca can whitelist CSRs per-signer based on an IP network whitelist.

• The signer can whitelist SANs and common names via a regular-expression whitelist.

• Multiple fallback remote signers are now supported in the cfssl server.

• A Docker build script has been provided to facilitate building CFSSL for all supported platforms.

• The log package includes a new logging level, fatal, that immediately exits with error after printing the log message.

• CHANGED:

• CLI tool can read from standard input.

• The -f flag has been renamed to -config.

• Signers have been refactored into local and remote signers under a single universal signer abstraction.

• The CLI subcommands have been refactored into separate packages.

• Signing can now extract subject information from a CSR.

• Various improvements to the certificate ubiquity scoring, such as accounting for SHA1 deprecation.

• The bundle CLI tool can set the intermediates directory that newly found intermediates can be stored in.

• The CLI tools return exit code 1 on failure.

26

cfssl.org bundle demo

27

One more thing…

28

CFSSL Scan• Provides a report on your TLS configuration

• Standalone App

• Drive with API or CLI

• Can use domain names, or IPs on any port

• Add your own vulnerability scans

29

cfssl.org scan demo

30

CFSSL

Certificate Authority

Chain builder

TLS Scanner

31

CFSSL Core Team• Nick Sullivan (@grittygrease)

• Kyle Isom (@kyleisom)

• Zi Lin (@lziest)

• Jacob Haven (@jacob_haven)

32

CFSSL 1.1 Contributors• Alice Xia

• Dan Rohr

• Didier Smith

• Dominic Luechinger

• Erik Kristensen

• Fabian Ruff

• George Tankersley

• Harald Wagener

• Harry Harpham

• Jacob H. Haven

• Jacob Hoffman-Andrews

• Joshua Kroll

• Kyle Isom

• Nick Sullivan

• Peter Eckersley

• Richard Barnes

• Steve Rude

• Tara Vancil

• Terin Stock

• Thomaz Leite

• Travis Truman

• Zi Lin

33

CFSSL 1.1The evolution of a PKI toolkit

Nick Sullivan @grittygrease August 7, 2015