Thursday, January 30, 2014

Creating a CA on Ubuntu

A more formal setup for a CA this time compared to the previous "Quick and Dirty" notes.

First of all, install a fresh Ubuntu.  I choose 12.04 LTS Server because of longer term support.

After installation, run the update commands to patch the systems:
$ sudo apt-get updates
$ sudo apt-get dist-upgrade

Reboot the system, as the previous command also upgrade the kernel.

Let's edit the defaults for OpenSSL in Ubuntu.  Configuration file is located at /etc/ssl/openssl.cnf

Look for the following:

[ CA_default ]
dir = ./demoCA

Change it to:

[ CA_default ]
dir = /opt/WhiteHat-CA

Also look for

policy = policy_match

Change it to:

policy = policy_anything

You can also make changes to [ req_distinguished_name ] for different default values.

This time, as we create a static CA.  Let's put it in /opt/WhiteHat-CA (or any name you like under /opt that you specified in the configuration file above).

$ sudo mkdir /opt/WhiteHat-CA

We then secure it, making only root (sudoers) can access the CA.

$ sudo chmod 700 /opt/WhiteHat-CA

Create the nessessary folders in the CA:

$ sudo mkdir /opt/WhiteHat-CA/certs
$ sudo mkdir /opt/WhiteHat-CA/private
$ sudo mkdir /opt/WhiteHat-CA/newcerts

Create the serial number file

$ sudo echo 1000 > /opt/WhiteHat-CA/serial

And create the index.txt file

$ sudo touch /opt/WhiteHat-CA/index.txt

Lastly, we create the private key and the cert for the CA:

$ sudo openssl req -new -x509 -days 3652 \
-extensions v3_ca \
-keyout /opt/WhiteHat-CA/private/cakey.pem \
-out /opt/WhiteHat-CA/cacert.pem

That's it!

Since we secured the CA, if you need to operate the CA (execute openssl ca commands), you need to sudo in order to get have required permission.