Skip to main content

Linux/Unix - Create a local Certificate Authority (CA)

I get these questions all the time - people know i have some runtime with certificates and such - one question is "Can't i just issue my own certs?" - and the answer of course is yes - but I always make sure to add that it won't be any use on a public web site since no-one will trust it.
So setting up your own CA is not "generally useful", it is more if you need some specific things, like issuing certificates with a single signing source for client logins or similar.

Most business will have a  couple of Windows Domain controllers, if you need to sign certs for a limited set of users, what you should do is make sure some system in your windows domain runs Certificate Services, then issue certs from there, make sure any non-domain-members has a trust for that CA.

If you actually do need to set up you own CA, here is one way to do it

Procedure to set up your own local CA

The common name for the CA cert must NOT be the same as a domain name or anything else you will need a cert for, I used   "myLocalCA"  for my cn in this example.
There is more than one way to do this, i recommend using a sequence file for serials - so this should work if you follow this setup.
I recommend using a local user which is not used for anything else - the below assumes you run as that user


  • Create a directly, set very private permissions, and go to it
    • mkdir ~/myLocalCA
    • chmod 0700 ~/myLocalCA
    • cd ~/myLocalCA
  • Create a protected CA key:  
    • openssl genrsa -des3 -out myLocalCA.key 4096
  • Create the CA cert valid for 10 years:
    • openssl req -new -x509 -days 3650 -key myLocalCA.key -out myLocalCA.cert
    • Enter Country, State, City, Org, dept
    • Enter common name as the permenanent name of your CA (example: myLocalCA)
  • Use a Sequence file for the CA certificates serial number - it is best to just let openssl create it when you issue your first cert, just make sure to always reference the same file. (Each signed cert must have a Unique-to-the-CA serial).
    • When you sign, use these options: 
      • -CAcreateserial -CAserial myLocalCA.serial.sequence

Procedure to process (Sign) CSR

To do this you first need a CSR, chances are you be making them yourself, but you may also get them from a device or person or similar. For information on how to create a Certificate Signing request, see https://www.saumgm.com/p/openssl-cheat-sheet.html

Log in as your CA processor user (Assuming you did as the example above)

  • cd ~/myLocalCA
  • openssl x509 -req -days 720 -in /path/to/myhost.csr  -out /path/to/myhost.cert -CA myLocalCA.cert -CAkey myLocalCA.key -CAcreateserial -CAserial myLocalCA.serial.sequence
That is it - then just send or install the cert file where it is needed.

Trusting the CA

In order for browsers and things to trust certificates issued by this CA, you need to install the root certificate, the myLocalCA.cert file in a local CA trust repository. (Never share the private key, only the certificate!)

WARNING: You should NOT do this in any home, business, or production network or systems. Once you do this, any cert signed with this key will be trusted, make sure you keep your CA privates private and secure, and do not sign requests you do not know and trust completely.

On Ubuntu you can copy the cert file to /usr/local/share/ca-certificates/myLocalCA/myLocalCA.cert, make sure it has 0644 permissions, then do sudo update-ca-certificate

On Windows, right click the file and select install, choose the Trust CA repository.


Comments

Popular posts from this blog

Cisco UCS Mini - Add Extender Chassis

If you happen to own a UCS Mini Setup, a 5108 Chassis with two Fi 6324 or similar, and you are looking for documentation on how to add another 5108 Chassis with fabric extenders (2204XP in my case), then Cisco really does not have much out there, nor is there a lot of googlable information either (Everything you find is related to standalone Fabric Interconnects and "standard" UCS). Even after calling TAC, it took a while to get something, and what they told us was not even accurate. So here is how we did it, and it worked, came up without any interruption to current chassis, network, or running profiles. Equipment Of course we used our Cisco vendor to spec the equipment, but just for reference here is the list of what we had and what we added: Original Setup 5108 Chassis  Fi 6324 (Qty 2) Ports 1-2 for Fibre Channel, and 3-4 for Ethernet (MMF) Connected to a stack of switches and pair of FC switches/SAN Running UCS version 4.0.1 (Fairly recently upgraded as of M...

Active Directory Account Lockout - Narrowing Down the source

If you are in a all-windows shop where everything is nice and neat, everybody has a proper domain membership and all authentication is SSO or Windows Integrated, then you probably do not have much of a problem with repeated account lockouts. On the other hand, if you are in a mixed environment, lots of :Linux, Mac, and unmanaged Wintendo, then you probably run into some users that manage to Lock themselves out frequently - typically for several days in a row after the account password had been changed. Reasons can be plenty fold - typically saved credentials somewhere, like a git client, sql-server client, email client, rdp-manager, smbfs-automount, or anything that tries a bunch of logins when you start it up, or keeps trying in the background. As a sysadmin, you don't have time to narrow it down for the end user - but they will be adamant it is not their fault, so you probably need to prove that "Yes it is" - so I use powershell to grab 4740 events from Domain Con...

Campground Networking

I've travelled a couple years full time in an RV, working remotely. This can be a challenger, many campgrounds have poor Wi-Fi setups, and cell service is not always great (Do not plan on doing any work from the Grand Canyon National Park). Calling ahead and asking usually does not reveal accurate information, you are best off using campground reviews, search them for WIFI and read what people say.  The best network I have seen was at Eagles Landing RV Park in Holt, FL (Pan handle) http://eagleslandingrvpark.com/. Still not perfect. At poor sites, more than once did I offer my assistance in trying to configure and improve, but even the places which have no vendor maintain their system do not want any other hands on it. A couple of times I helped out anyway, default passwords on routers, so I upgraded their firmware, disabled 802.11b, and set a password so no-one else would mess with it. My RV network setup is not of a common type, you sort of have to be a bit of a network-guy to us...