Simple Authority Serial
You are here: » OpenSSL Certification Authority (CA) on Ubuntu Server • Posted on April 7, 2016 • by • in OpenSSL is a free, open-source library that you can use for digital certificates. One of the things you can do is build your own CA (Certificate Authority). A CA is an entity that signs digital certificates. An example of a well-known CA is.
Many websites on the Internet use certificates for their HTTPS connections that were signed by Verisign. Besides websites and HTTPS, there are some other applications/services that can use digital certificates. For example: • VPNs: instead of using a pre-shared key you can use digital certificates for authentication. • Wireless: WPA 2 enterprise uses digital certificates for client authentication and/or server authentication using PEAP or EAP-TLS.
Instead of paying companies like Verisign for all your digital certificates. It can be useful to build your own CA for some of your applications. In this lesson, you will learn how to create your own CA.
Configuration In my examples, I will use a Ubuntu server, the configuration of openSSL will be similar though on other distributions like CentOS. Prerequisites Before we configure OpenSSL, I like to configure the hostname/FQDN correctly and make sure that our time, date and timezone is correct. Let’s take a look at the hostname: vmware@ca:~$ hostname ca My hostname is “ca”. Let’s check the FQDN: vmware@ca:~$ hostname -f ca It’s also “ca”. Let’s change the FQDN; you need to edit the following file for this: $ sudo vim /etc/hosts Change the following line: 127.0.1.1 ca To: 127.0.1.1 ca.networklessons.local ca Let’s verify the hostname and FQDN again: vmware@ca:~$ hostname ca vmware@ca:~$ hostname -f ca.networklessons.local Our hostname and FQDN is now looking good. We could configure the time/date manually, but it might be a better idea to use NTP. You can synchronize the time/date with this command: $ sudo ntpdate pool.ntp.org 29 Mar 19:46:44 ntpdate[16478]: adjust time server 149.210.205.44 offset 0.062135 sec But it might be a better idea to synchronize periodically.
Define government: the group of people who control and make decisions for a country, state, etc. Computers have become a vital section of us currently.
Let’s install the NTP tools: $ sudo apt-get install ntp Your Ubuntu server will use the following NTP server pools by default: $ cat /etc/ntp.conf grep server # Specify one or more NTP servers. # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board server 0.ubuntu.pool.ntp.org server 1.ubuntu.pool.ntp.org server 2.ubuntu.pool.ntp.org server 3.ubuntu.pool.ntp.org You can verify which servers it is currently using with the following command: $ ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== notax.pointpro. 193.79. Black Widow V6 Cracked. 237.14 2 u 14 64 3 13. Chem C3000 Manual Pdf. 607 16.002 31.631 ntp.luna.nl 193.67.79.202 2 u 12 64 3 11.728 13.030 32.101 ntp1.edutel.nl 80.94.65.10 2 u 11 64 3 16.193 12.460 31.346 dsl-083-247-002 193.67.79.202 2 u 9 64 3 13.893 11.284 32.550 juniperberry.ca 193.79.237.14 2 u 9 64 3 20.803 11.177 31.101 Our server is now configured correctly.
OpenSSL Configuration OpenSSL uses a configuration file that is easy to read. There are a couple of things that we will change in it: # vim /usr/lib/ssl/openssl.cnf Look for the following section: [ CA_default ] dir =./demoCA And change it, so it looks like this: [ CA_default ] dir = /root/ca The “/root/ca” folder is where we will store our private keys and certificates. You might also want to take a look at the default policy: [ policy_match ] countryName = match stateOrProvinceName= match organizationName= match organizationalUnitName= optional commonName = supplied emailAddress = optional Some fields like country, state/province, and organization have to match.
If you are building your CA for a lab environment like I am then you might want to change some of these values: [ policy_match ] countryName = match stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional I’ve changed it so that only the country name has to match. Root CA The first thing we have to do is to create a root CA. This consists of a private key and root certificate. These two items are the “identity” of our CA. Let’s switch to the root user: $ sudo su We will create a new folder which stores all keys and certificates: # mkdir /root/ca In this new folder we have to create some additional sub-folders: # cd /root/ca # mkdir newcerts certs crl private requests We also require two files. The first one is called “index.txt”. This is where OpenSSL keeps track of all signed certificates: # touch index.txt The second file is called “serial”.
Each signed certificate will have a serial number. I will start with number 1234: # echo '1234' >serial All folders and files are in place. Let’s generate the root private key: # openssl genrsa -aes256 -out private/cakey.pem 4096 Generating RSA private key, 4096 bit long modulus.++..++ e is 65537 (0x10001) Enter pass phrase for private/cakey.pem: Verifying - Enter pass phrase for private/cakey.pem: The root private key that I generated is 4096 bit and uses AES 256 bit encryption.
It is stored in the private folder using the “cakey.pem” filename. Anyone that has the root private key will be able to create trusted certificates. Keep this file secure! We can now use the root private key to create the root certificate: # openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0 Enter pass phrase for /root/ca/private/cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.'
, the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:North-Brabant Locality Name (eg, city) []:Tilburg Organization Name (eg, company) [Internet Widgits Pty Ltd]:Networklessons Organizational Unit Name (eg, section) []: Common Name (e.g. Server FQDN or YOUR name) []:CA.networklessons.local Email Address []:admin@networklessons.local The root certificate will be saved as the “cacert.pem” filename and is valid for 10 years. Create a certificate Our root CA is now up and running. Normally when you want to install a certificate on a device (a web server for example), then the device will generate a CSR (Certificate Signing Request). This CSR is created by using the private key of the device. On our CA, we can then sign the CSR and create a digital certificate for the device. Another option is that we can do everything on our CA.
We can generate a private key, CSR and then sign the certificateeverything “on behalf” of the device. That’s what I am going to do in this example; it’s a good way to test if your CA is working as expected.
I’ll generate a private key, CSR and certificate for an imaginary “web server”. Let’s use the requests folder for this: # cd /root/ca/requests/ First, we have to generate a private key: # openssl genrsa -aes256 -out some_serverkey.pem 2048 Generating RSA private key, 2048 bit long modulus....+++.+++ e is 65537 (0x10001) Enter pass phrase for some_server.pem: Verifying - Enter pass phrase for some_server.pem: The private key will be 2048 bit and uses AES 256 bit encryption.
With the private key, we can create a CSR: root@ca:~/ca/requests# openssl req -new -key some_serverkey.pem -out some_server.csr Enter pass phrase for some_serverkey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name (2 letter code) [AU]: NL State or Province Name (full name) [Some-State]: North-Brabant Locality Name (eg, city) []: Tilburg Organization Name (eg, company) [Internet Widgits Pty Ltd]: Networklessons Organizational Unit Name (eg, section) []: Common Name (e.g. Networklessons.com is a fountain of knowledge to those who seek for excellence and success in life in the fields of networking.
It's a good foundation to any candidate seeking certification from CCNA to CCIE. I have been searching a lot for network review materials and many people make networking sound difficult. When I came across Networklessons.com, topics are explained in a more comprehensible way. The course material is easy to understand even the most difficult and complicated topics.
Then everything comes into light. I found Networklessons.com very comprehensible and valuable! Stanley Paez Network Specialist January 14, 2016. One of my favorite features of the site in general is the context sensitive keyword search feature in the upper right hand corner.
This is my first favorite resource when looking for information on a topic I am unclear of. The site provides comprehensive coverage of all the CCNA topics. I haven't received a zero search result yet for any keyword searchs I've done. The course material is clear and concise with Rene giving video white board explanations making abstract networking concepts appear tangible.
If you are looking for an entry point into the world of Cisco routing and switching, Networklessons.com comprehensive content provides the foundation for CCNA and beyond. Simpson IT Consulting September 13, 2015. Networklessons.com has demonstrated an exceptional creative and effective teaching method in explaining complex networking and security concepts into an easy to understand method. It provides hope and confidence to networking professionals across the globe and, needless to say, it encourages us to teach others by following a similar teaching style. I want to thank Rene for his hard work and patience. I am along other professionals very GRATEFUL to you!
Network Engineer April 15, 2016.
Cat>yubico-internal-https-ca.conf yubico-internal-https-ca-crt.srl.