Debian / Ubuntu - Create a root certification authority (Root CA)

Page 1 / 2

If you have a Linux server or a VPS (virtual machine on the Internet) and want to secure multiple services (web, mail, ...), it becomes very interesting to use a certification authority. With this certification authority, you can simply import the certificate of your CA in the "trusted authorities" list of your devices (computers, smartphones, ...) so that all your certificates are considered as emanating from a recognized authority.

Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.

  1. OpenSSL installation
  2. Create the certification authority (CA)
  3. Create a certificate signing request (CSR)
  4. Create a certificate from the signing request
  5. Securing Apache with the SSL certificate
  6. Test the configuration
  7. Import the certificate of the authority in Linux PC
  8. Import the certificate of the authority in Windows PCs
  9. Revoke a certificate
  10. Create the revocation list (CRL)
  11. Make the revocation list available from the web
  12. Test of the revocation

1. OpenSSL installation

For safety, do an update of the packages list.

Code : Bash

apt-get update

Then, install the "openssl" package.

Code : Bash

apt-get install openssl

 

2. Create the certification authority (CA)

To edit the information that OpenSSL will use to create the CA, modify the "/etc/ssl/openssl.cnf" file.

In this file, you can change the duration of validity of certificates that you sign.
For example : 10 years (3650 days).

Code : Plain Text

default_days = 3650

Change the size of the key used. For information : Geotrust request certificates in 2048 bits.

Code : Plain Text

default_bits = 2048

Thus, the information of your Certification Authority. Including the following :

Code : Plain Text

# Country code.
countryName_default = US
# The state or province. Personally, I have set the country to protect my privacy.
stateOrProvinceName_default = United States
# The name of your organization (or the name of your website if you wish).
0.organizationName_default = InformatiWeb
# In the "[ usr_cert ]", add the following line:
crlDistributionPoints=URI:http://www.informatiweblan.net/ca-crl.crl
# Doc : https://www.openssl.org/docs/apps/x509v3_config.html#crl_distribution_points_

Finally, create your certification authority using the "CA.sh" script of OpenSSL.

Code : Bash

cd /usr/lib/ssl/misc/
sudo ./CA.sh -newca

During the creation of the certification authority, the script will ask you :
- A password to protect the private key of the CA.
- Information to be given in the certificate of the authority

Note : The common name to specify when creating the CA is the name of your Certification Authority.

Code : Plain Text

...
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
...
Country Name (2 letter code) [BE]:
State or Province Name (full name) [Belgium]:
Locality Name (eg, city) []:
Organization Name (eg, company) [InformatiWeb]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:InformatiWeb CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
...

In the "/usr/lib/ssl/misc/demoCA" folder that was created by this script, you will find all the files about your Certificate Authority.
Whose certificate of the authority : "cacert.pem".

Code : Bash

ls -l /usr/lib/ssl/misc/demoCA/

Code : Bash

total 40
-rw-r--r-- 1 root root 4309 fév 11 16:14 cacert.pem
-rw-r--r-- 1 root root  972 fév 11 16:14 careq.pem
drwxr-xr-x 2 root root 4096 fév 11 16:14 certs
drwxr-xr-x 2 root root 4096 fév 11 16:14 crl
-rw-r--r-- 1 root root   94 fév 11 16:14 index.txt
-rw-r--r-- 1 root root   21 fév 11 16:14 index.txt.attr
-rw-r--r-- 1 root root    0 fév 11 16:14 index.txt.old
drwxr-xr-x 2 root root 4096 fév 11 16:14 newcerts
drwxr-xr-x 2 root root 4096 fév 11 16:14 private
-rw-r--r-- 1 root root   17 fév 11 16:14 serial

 

3. Create a certificate signing request (CSR)

To take a common example, we will request a certificate that will have these specifications :
- Valid for 10 years
- Valid for all subdomains (unless the domain)
- Private key without password protection to prevent that Apache request it at startup (or reboot in case of problems)

Code : Bash

openssl req -new -nodes -keyout /etc/ssl/private/www-key.pem -out /tmp/www-req.pem -days 3650

As earlier, information will be requested.
For this information, you must specify "*.domain.net" for the common name because it's this value that the browser will check.
Note : To generate a valid certificate for the domain only, specify "domain.net" for the common name.

Code : Plain Text

Generating a 2048 bit RSA private key
............+++
..........+++
writing new private key to 'www-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BE]:
State or Province Name (full name) [Belgium]:
Locality Name (eg, city) []:
Organization Name (eg, company) [InformatiWeb]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.informatiweblan.net
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

4. Create a certificate from the signing request

Finally, use the signing request to sign the certificate.

Code : Bash

cd /usr/lib/ssl/misc/
openssl ca -out /etc/ssl/certs/www-cert.pem -infiles /tmp/www-req.pem

Code : Plain Text

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
92:41:c8:a0:fa:43:33:f6
Validity
Not Before: Feb 11 15:30:52 2015 GMT
Not After : Feb  8 15:30:52 2025 GMT
Subject:
countryName               = BE
stateOrProvinceName       = Belgium
organizationName          = InformatiWeb
commonName                = *.informatiweblan.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9E:24:79:43:C8:90:6E:9E:52:4A:80:8C:35:32:92:AC:66:CD:20:F6
X509v3 Authority Key Identifier:
keyid:10:44:64:86:EB:FE:F1:52:10:8A:0B:EF:2C:49:EE:DC:F0:1C:B3:2F

Certificate is to be certified until Feb  8 15:30:52 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated