A more formal setup for a CA this time compared to the previous "Quick and Dirty" notes.
First of all, install a fresh Ubuntu. I choose 12.04 LTS Server because of longer term support.
After installation, run the update commands to patch the systems:
$ sudo apt-get updates
$ sudo apt-get dist-upgrade
Reboot the system, as the previous command also upgrade the kernel.
Let's edit the defaults for OpenSSL in Ubuntu. Configuration file is located at /etc/ssl/openssl.cnf.
Look for the following:
[ CA_default ]
dir = ./demoCA
Change it to:
[ CA_default ]
dir = /opt/WhiteHat-CA
Also look for
policy = policy_match
Change it to:
policy = policy_anything
You can also make changes to [ req_distinguished_name ] for different default values.
This time, as we create a static CA. Let's put it in /opt/WhiteHat-CA (or any name you like under /opt that you specified in the configuration file above).
$ sudo mkdir /opt/WhiteHat-CA
We then secure it, making only root (sudoers) can access the CA.
$ sudo chmod 700 /opt/WhiteHat-CA
Create the nessessary folders in the CA:
$ sudo mkdir /opt/WhiteHat-CA/certs
$ sudo mkdir /opt/WhiteHat-CA/private
$ sudo mkdir /opt/WhiteHat-CA/newcerts
Create the serial number file
$ sudo echo 1000 > /opt/WhiteHat-CA/serial
And create the index.txt file
$ sudo touch /opt/WhiteHat-CA/index.txt
Lastly, we create the private key and the cert for the CA:
$ sudo openssl req -new -x509 -days 3652 \
-extensions v3_ca \
-keyout /opt/WhiteHat-CA/private/cakey.pem \
-out /opt/WhiteHat-CA/cacert.pem
That's it!
Since we secured the CA, if you need to operate the CA (execute openssl ca commands), you need to sudo in order to get have required permission.
Subscribe to:
Post Comments (Atom)
View William Lee's profile
No comments:
Post a Comment