CFSSL Intermediate Authority

[suxarik]

I have a problem using cfssl plugin. Having: CFSSL_URL =*** CFSSL_ROOT =*** CFSSL_KEY =*** (This is not in the manual but creating certs only works with this) CFSSL_INTERMEDIATE =*** After successfully creating authority based on CFSSL CA I'm trying to create authority based on CFSSL Intermediate CA,choosing SubCA during creation. But still just the CA gets created. That is why I cannot create new certificates, because they cannot be signed with Intermediate. Lemur build is from master CFSSL Version: 1.3.2

[castrapel]

Hello, unfortunately the same issue applies here - we do not use CFSSL internally and thus are unable to support this plugin.

The primary code contributors appear to be @chadhendrie , @johanneslanger and @alwaysjolley who may be able to investigate.

[alwaysjolley]

The CFSSL_KEY is only used if you are using the auth functionality of cfssl. I cannot speak with much authority on how SubCA should work but as I understand it, that is only used if you want to create an Intermediate CA on Lemur, not upload/use an Intermediate CA on your Authority. At least this is how it worked in my testing. If you are trying to create a new leaf certificate, you want to set the Authority to use the Intermediate CA in the Lemur configs and choose CA when creating the new leaf certificate. The CA you setup is responsible for what CA to sign the csr with. Lemur just submits the request to the CA for signing. CFSSL_ROOT and CFSSL_INTERMEDIATE are used to build the chain in Lemur. It does not validate the CA is using the same certificate chain unfortunately.

[alwaysjolley]

for a more detailed document on how to setup an intermediate CA via CFSSL https://www.howtoforge.com/tutorial/integration-of-cfssl-with-the-lemur-certificate-manager/