How to install and configure CA (PKI) server on Ubuntu Linux server

To install a CA on a Linux server, install the following packages:

# aptitude install -y openssl ssl-cert

Once this is installed, edit the default configuration file:

# vim /etc/ssl/openssl.cnf

and change the following settings so it matches your environment:

countryName_default  =  DK
stateOrProvinceName_default  =  DK
localityName_default  =  Copenhagen
0.organizationName_default  =  SEFNET
organizationalUnitName_default  =  IT Dept.

Save and exit.

To create a root CA we will first create a CA key:

# openssl genrsa -des3 -out ca.key 4096

Note down the password used for the key file, since you will need it every time you create a new certificate. This is your root CA password!

Now we will generate a root CA certificate using the key. Fill out the required information. Note that Common Name must be FQDN of your root CA server.

# openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem

Now you have both the certificate and the key and you can distribute your root CA certificate (not the key) to your clients.

To create a client (server) certificate first, we need to generate a certificate signing request (CRS). First, we create a key file:

# openssl genrsa -out rocket01.sefnet.net.key 4096

Then, create the CSR file:

# openssl req -new -key rocket01.sefnet.net.key -out rocket01.sefnet.net.csr

Now we need to create the configuration file that will be used to create an SSL certificate:

# vim rocket01.sefnet.net.ext

And add the following lines:

authorityKeyIdentifier=keyid,issuer basic
Constraints
=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names]

DNS.1 = rocket01.sefnet.net

Save and exit.

Now, create an SSL certificate using the CSR, key, and the configuration file:

# openssl x509 -req -in rocket01.sefnet.net.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out rocket01.sefnet.net.crt -days 365 -sha256 -extfile rocket01.sefnet.net.ext

Note that, since September 1st, 2020, SSL/TLS certificates cannot be issued for more than 13 months (397 days). 


Now we need to install the client (server) certificate. Copy the root CA SSL certificate, client certificate, and the corresponding key file to your client (server) machine:

# cp ca.pem rocket01.sefnet.net.crt /etc/ssl/certs
# cp rocket01.sefnet.net.key /etc/ssl/private
# chown root:ssl-cert /etc/ssl/private/rocket01.sefnet.net.key
# chmod 640 /etc/ssl/private/rocket01.sefnet.net.key

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.