Skip to content

Add HTTPS endpoints to CFSSL

Nick Sullivan edited this page Oct 10, 2015 · 2 revisions

The cfssl and multirootca services currently only expose HTTP endpoints. This page describes a plan to upgrade these to HTTPS.

  • Add option to select an "endpoint-key" and "endpoint-cert" via either command line options or a the configuration file
  • Serve a redirect on the HTTP root endpoint when HTTPS is enabled
  • Use strong cipher suites

When this is working correctly and the transport package (https://github.com/cloudflare/cfssl/pull/358) is merged, this should be updated to use the transport package with static keys.

Additionally, CFSSL needs to be updated to be able to handle remote signers that use HTTPS. For this the configuration file needs to indicate if the remote supports HTTPS or HTTP. In the case of HTTPS, it should also contain a list of trusted CAs for the remote.