How to install a certificate authority server on Ubuntu Server 18.04 LTS

Post Reply
User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

How to install a certificate authority server on Ubuntu Server 18.04 LTS

Post: # 662Post LHammonds
Fri May 11, 2018 5:19 pm

WORK-IN-PROGRESS ------------------- WORK-IN-PROGRESS
WORK-IN-PROGRESS ------------------- WORK-IN-PROGRESS


Greetings and salutations,

I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

To discuss this thread, please participate here: >> INSERT THREAD <<

High-level overview

This thread will cover installation of a certificate authority (CA) server for the purpose of issuing your own certificates for your LAN.

This process will involve two servers. The root CA server will be installed and issue a certificate to an intermediate CA server. The root CA server will then be taken offline and stored in a safe place. The intermediate server will then become the server that will issue certificates to your other servers and the root certificate will need to be installed on all your machines so any certificates issued by the intermediate server will be automatically trusted.

This scenario is perfect for servers that are not accessible from the web or when using local domain names like mydomain.local.

Some of the abbreviations related to certificates:
  • SSL – Secure Socket Layer
  • CSR – Certificate Signing Request
  • TLS – Transport Layer Security
  • PEM – Privacy Enhanced Mail
  • DER – Distinguished Encoding Rules
  • SHA – Secure Hash Algorithm
  • PKCS – Public-Key Cryptography Standards
Tools utilized in this process
Helpful links

The list below are sources of information that was helpful in the creation of this document.
Assumptions

This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. And as such, this information will be noted in this section. They will be highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

Wherever you see RED in this document, you need to substitute it for you will use in your environment.
  • Local domain: mydomain.com
  • Ubuntu Server name: srv-ca-root
  • Ubuntu Server IP address: 192.168.107.69
  • Ubuntu Server name: srv-ca-im
  • Ubuntu Server IP address: 192.168.107.70
  • Ubuntu Admin ID: administrator
  • Ubuntu Admin Password: myadminpass
  • Root CA Private Key Passphrase: myrootcapass
It is also assumed the reader knows how to use the VI editor. If not, you will need to beef up your skill set or use a different editor in place of it.

References:
OpenSSL certification authority CA Ubuntu server
OpenSSL Commands
OpenSSL Command-Line
OpenSSL Troubleshooting
OpenSSL commands to check and verify

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Install Ubuntu Server

Post: # 665Post LHammonds
Fri Jun 08, 2018 10:39 am

Install Ubuntu Server

The Ubuntu Server Long-Term Support (LTS) is free but we have the option of buy support and that is the main reason this server was selected.

The steps for setting up the base servers are covered in this article: How to install and configure Ubuntu Server

It is assumed that the servers were configured according to that article with the exceptions that the assumptions in red (variables above) are used instead of the assumptions in that document since we are building a specialized server.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Prerequisites

Post: # 691Post LHammonds
Wed Sep 05, 2018 1:29 pm

Fully Qualified Domain Name (FQDN)

We need to make sure our FQDN is set before we begin.

On the root CA server:

Code: Select all

vi /etc/hosts
You should see something like the following:
127.0.0.1 localhost 127.0.1.1 srv-ca-root.mydomain.local srv-ca-root
On the intermediate CA server:

Code: Select all

vi /etc/hosts
You should see something like the following:
127.0.0.1 localhost 127.0.1.1 srv-ca-im.mydomain.local srv-ca-im
OpenSSL Configuration

Make the CA folders:

Code: Select all

mkdir -p /root/ca/private
mkdir -p /root/ca/certs
mkdir -p /root/ca/crl
mkdir -p /root/ca/newcerts
mkdir -p /root/ca/requests
Create the file that OpenSSL uses to track certificates:

Code: Select all

touch /root/ca/index.txt
Create the file that OpenSSL uses to number each of the certificates. This command will start the count at a randomized number between 1000 and 10000:

Code: Select all

shuf --input-range 1000-10000 --head-count 1 > /root/ca/serial
Secure the files and folders:

Code: Select all

chown -R root:root /root/ca
chmod -R 0600 /root/ca
Backup the current OpenSSL configuration:

Code: Select all

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak
Edit the OpenSSL config file and make the following changes:

Code: Select all

vi /etc/ssl/openssl.cnf
Find:

Code: Select all

dir             = ./demoCA
Change to:

Code: Select all

dir             = /root/ca
You might want to review other settings such as the policy section, defaults, etc.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Root Certificate

Post: # 692Post LHammonds
Wed Sep 05, 2018 1:42 pm

Create the Root CA Private Key

This command will create a 4096 bit private key that is AES 256 bit encrypted. NOTE: This should match the "private_key" setting in openssl.cnf

Code: Select all

openssl genrsa -aes256 -out /root/ca/private/cakey.pem 4096
You will need to enter your passphrase at this point. In this example, I used myrootcapass.

Create the Root CA Certificate

This command will create a certificate that will expire 10 years from now. NOTE: This should match the "certificate" setting in openssl.cnf

Code: Select all

openssl req -new -x509 -sha256 -key /root/ca/private/cakey.pem -out /root/ca/cacert.pem -days 3650
Use the passphrase you set when you created the private key. In this example, I used myrootcapass.

Install Root CA Certificate onto the server

Convert the .pem to .crt format:

Code: Select all

mkdir /usr/local/share/ca-certificates/srv-ca-root
chmod 755 /usr/local/share/ca-certificates/srv-ca-root
openssl x509 -in /root/ca/cacert.pem -inform PEM -out /usr/local/share/ca-certificates/srv-ca-root/cacert.crt
chmod 644 /usr/local/share/ca-certificates/srv-ca-root/cacert.crt
update-ca-certificates
Install Root CA Certificate onto Windows 10 PC

NOTE: You can also use Group Policy to distribute the certificate to all machines in the domain.
  • Place cacert.crt somewhere the PC can access it.
  • Click Start, Run, mmc.exe
  • Click File, Add/Remove Snap-in
  • Double-click Certificates, select Computer account, click Next, select Local computer, click Finish, OK
  • Expand Trusted Root Certification Authorities, Certificates
  • Right-click on Certificates, All Tasks, Import, Next, Browse to and select cacert.crt, Next, Place in Trusted Root Certification Authorities, Finish
  • You should see "srv-ca-root.mydomain.local" in the list.
  • Close mmc

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Create a Server Certificate

Post: # 693Post LHammonds
Wed Sep 05, 2018 4:50 pm

Locally Create a Key/Cert

On the root CA server, we are going to create a private key, CSR and certificate for a remote server on behalf of that server. This will let us do everything on the CA server for this test.

Generate a private key for the server named "srv-owncloud"

Code: Select all

openssl genrsa -aes256 -out /root/ca/private/srv-owncloud-key.pem 4096
Generate a certificate signing request (CSR) using the private key:

Code: Select all

openssl req -new -key /root/ca/private/srv-owncloud-key.pem -out /root/ca/requests/srv-owncloud.csr
Sign the CSR:

Code: Select all

openssl ca -in /root/ca/requests/srv-owncloud.csr -out /root/ca/certs/srv-owncloud-cert.pem
Validate the certificate on the server: (NOTE: This will not work if you do not install the recently-created root CA certificate (cacert.crt)

Code: Select all

openssl verify /root/ca/certs/srv-owncloud-cert.pem
You can test it by starting a test web service and opening a browser on your PC to look at the certificate. (NOTE: This will not work if you do not install the recently-created root CA certificate as a trusted CA on your PC)

Code: Select all

ufw allow proto tcp to any port 4433 comment 'TEMP SSL Web Service'
openssl s_server -cert /root/ca/certs/srv-owncloud-cert.pem -key /root/ca/private/srv-owncloud-key.pem -www
Now open a browser on a desktop PC and visit https://192.168.107.69:4433 and use the browsers ability to look at the certificate.
Once done with the browser test, switch back to the server and press CTRL+C to break out of the SSL server test.
Now remove the firewall rule that allowed access on the test 4433 port:

Code: Select all

ufw delete allow proto tcp to any port 4433

NOTE SECTION

Convert PKCS format to PEM and separate key/cert into separate files:

Code: Select all

openssl pkcs12 -in nameorwildcard.yourdomain.local.pfx -out /tmp/output.pem -nodes -password pass:passwordofpfx
sed -n '/^-----BEGIN PRIVATE KEY-----/,/^-----END PRIVATE KEY-----/p' /tmp/output.pem > /tmp/certificatekey.key
sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' /tmp/output.pem > /tmp/certificate.crt
rm -f /tmp/output.pem
Use the tool dos2unix (or a similar tool) to prevent text file format problems.

Code: Select all

dos2unix rootca.yourdomain.local.cer

Post Reply