UBUNTU DUMP‎ > ‎

Internal CA Server

posted 24 Aug 2017, 06:04 by Donald Ross   [ updated 1 Sep 2017, 13:36 ]
CA server Build

REFERANCE: https://help.ubuntu.com/lts/serverguide/certificates-and-security.html

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.original

sudo nano /etc/ssl/openssl.cnf
~update with
dir             = /etc/ssl              # Where everything is kept
database        = $dir/CA/index.txt     # database index file.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/CA/serial        # The current serial number
private_key     = $dir/private/cakey.pem# The private key

create the self-signed root certificate:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

enter pass phrase
xxxxxxxxxxxxxx

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.


Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Livingston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DDRcomputing
Organizational Unit Name (eg, section) []:IT Security
Common Name (e.g. server FQDN or YOUR name) []:root.ca.ddrcomputing.co.uk
Email Address []:admin@ddrcomputing.co.uk

Now install the root certificate and key:
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/


sudo nano /etc/ssl/openssl.cnf
changes these as required.
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional



-----------------

certificate signing
You are now ready to start signing certificates. The first item needed is a Certificate Signing Request (CSR), see Generating a Certificate Signing Request (CSR) for details. Once you have a CSR, enter the following to generate a certificate signed by the CA:

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation.

There should now be a new file, /etc/ssl/newcerts/01.pem, containing the same output. Copy and paste everything beginning with the line: -----BEGIN CERTIFICATE----- and continuing through the line: ----END CERTIFICATE----- lines to a file named after the hostname of the server where the certificate will be installed. For example mail.example.com.crt, is a nice descriptive name.

Subsequent certificates will be named 02.pem, 03.pem, etc.


#####
Additional  - Intermediate  CA       

sudo mkdir /etc/ssl/intermediate/CA
sudo mkdir /etc/ssl/intermediate/newcerts

sudo sh -c "echo '01' > /etc/ssl/intermediate/CA/serial"
sudo touch /etc/ssl/intermediate/CA/index.txt

sudo cp /etc/ssl/openssl.cnf /etc/ssl/intermediate/openssl.cnf

sudo nano /etc/ssl/intermediate/openssl.cnf

[ CA_default ]
dir            = /etc/ssl/intermediate         # Where everything is kept

Create the intermediate key

openssl genrsa -aes256 -out intermediate.key.pem  2048
pass phrase = normalpass@123

sudo mkdir /etc/ssl/intermediate/private/
sudo mkdir /etc/ssl/intermediate/certs/

sudo mv intermediate.key.pem /etc/ssl/intermediate/private/

sudo openssl req -config /etc/ssl/intermediate/openssl.cnf -new -sha256 \
      -key /etc/ssl/intermediate/private/intermediate.key.pem \
      -out /etc/ssl/intermediate/certs/intermediate.csr.pem


Enter pass phrase for /etc/ssl/intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DDRcomputing
Organizational Unit Name (eg, section) []:IT_SEC
Common Name (e.g. server FQDN or YOUR name) []:int.ca.ddrcomputing.co.uk
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:normalpass@123


sudo openssl ca -in /etc/ssl/intermediate/certs/intermediate.csr.pem -config /etc/ssl/openssl.cnf








Comments