-
Notifications
You must be signed in to change notification settings - Fork 0
Setting up an internal Certificate Authority
If you want to use TLS to secure communications between hosts on your internal network, then you might want to run an internal Certificate Authority(CA).
Why would you want/need to run an internal CA? Because most (if not all) webclients (for example: browsers, curl, etc) verify the certificates of the TLS enabled servers they connect to, and they will refuse to connect/communicate with a server whose certificate it can not validate. You could override/ignore certificate validation issues, but that sets a precedence of disabling security measures for the sake of convenience (which will, very likely, lead to security problems). By setting up, and using an internal CA, you can create another point of validation.
The CA we are creating is expected to be utilized infrequently, and therefore, manual commands will be utilized.
First, Generate the CA's private key:
# openssl genrsa -des3 -out my_ca.key 4096
Second, Generate the root certificate for the CA:
# openssl req -new -x509 -days 365 -key my_ca.key -out my_ca.crt
That's it. You have all that you need to start signing certificates.
You need to generate a Certificate Signing Request (CSR). The CSR will be used by your CA to create a signed certificate. Use the following command on the host that you need a certificate for:
# openssl req -new -newkey rsa:4096 -nodes -keyout your_host.key -out your_host.csr
You will be prompted to enter some general information about your host/organization.
Copy the generated CSR to the host that you have your CA key and certificate on, then run the following command to generate the signed certificate:
# openssl x509 -req -days 365 -in your_host.csr -CA my_ca.crt -CAkey my_ca.key -CAcreateserial -out your_host.crt
Now you should copy the signed certificate and the CA certificate to the host you generated your CSR.
Until you install your CA root certificate, clients will not trust the certificates signed by your CA.
On linux systems the Openssl directory may vary (You can use the command: openssl version -d to find the directory). You will want to put a copy of your CA's certificate in the 'certs' subdirectory. After this you will need to run the 'c_rehash' command to get openssl to recognize/use your CA's certificate.
On Mac OS X systems you will need to import your CA's certificate into the 'Keychain Access' utility, and then set it to trust the certificate.
Frequently, the root certificate is not used to directly issue the certificates that are utilized on servers. Usually, the root certificate issues certificates for other keys, and it is these intermediary keys that are used to issue/sign the certificates used on the servers. The root CA certificate spends most of its life on a hardware security module (HSM) inside the corporate safe, and occasionally gets pulled out and dusted off to sign or revoke intermediate certificates.
The root certificate will still need to be installed on the client machines, but the server will need to provide only its certificate, but also the certificate(s) of the intermediary certificates (which were signed by the root CA).