Thursday, January 30, 2014

Creating a CA on Ubuntu

A more formal setup for a CA this time compared to the previous "Quick and Dirty" notes.

First of all, install a fresh Ubuntu.  I choose 12.04 LTS Server because of longer term support.

After installation, run the update commands to patch the systems:
$ sudo apt-get updates
$ sudo apt-get dist-upgrade

Reboot the system, as the previous command also upgrade the kernel.

Let's edit the defaults for OpenSSL in Ubuntu.  Configuration file is located at /etc/ssl/openssl.cnf

Look for the following:

[ CA_default ]
dir = ./demoCA

Change it to:

[ CA_default ]
dir = /opt/WhiteHat-CA

Also look for

policy = policy_match

Change it to:

policy = policy_anything

You can also make changes to [ req_distinguished_name ] for different default values.

This time, as we create a static CA.  Let's put it in /opt/WhiteHat-CA (or any name you like under /opt that you specified in the configuration file above).

$ sudo mkdir /opt/WhiteHat-CA

We then secure it, making only root (sudoers) can access the CA.

$ sudo chmod 700 /opt/WhiteHat-CA

Create the nessessary folders in the CA:

$ sudo mkdir /opt/WhiteHat-CA/certs
$ sudo mkdir /opt/WhiteHat-CA/private
$ sudo mkdir /opt/WhiteHat-CA/newcerts

Create the serial number file

$ sudo echo 1000 > /opt/WhiteHat-CA/serial

And create the index.txt file

$ sudo touch /opt/WhiteHat-CA/index.txt

Lastly, we create the private key and the cert for the CA:

$ sudo openssl req -new -x509 -days 3652 \
-extensions v3_ca \
-keyout /opt/WhiteHat-CA/private/cakey.pem \
-out /opt/WhiteHat-CA/cacert.pem

That's it!

Since we secured the CA, if you need to operate the CA (execute openssl ca commands), you need to sudo in order to get have required permission.

No comments: