Pages

Thursday, 25 June 2015

LINUX (Ubuntu 14.04) Selfsign CA

This topic also do the same work as previous "MS Window CA". This topic would be tried on Linux:

I would like to setup my own internal Certification Authority (CA) on Ubuntu 14.04. Using certificates signed by my own CA, allows the Window IIS Web services using the certificates.

First, create the directories to hold the CA certificate and related files

mkdir /etc/ssl/CA
mkdir /etc/ssl/newcerts

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

sh -c "echo '01' > /etc/ssl/CA/serial"
touch /etc/ssl/CA/index.txt

Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:

Next, create the self-signed root certificate:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650



Now install (copy) the root certificate and key:

mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/


You are now ready to start signing certificates
To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt, first, create private key for using to generate CSR:

openssl genrsa -des3 -out pk.key 2048
openssl rsa -in pk.key -out pubk.key


With pk.key is private key secured with passphrase and pubk.key is private key un-secured.

Then create the CSR, run the following command at a terminal prompt:

openssl req -new -key pubk.key -out web.csr
Your CSR will be created and it will be stored in the web.csr file.

You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Please NOTE: The "Organization Name" would be the same to CA information, otherwise you might get in error when issue the below command.

Once you have a CSR, enter the following to generate a certificate signed by the CA:

openssl ca -in web.csr -config /etc/ssl/openssl.cnf
After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation. The example here


There should now be a new file automatically created /etc/ssl/newcerts/01.pem (and if we re-run the command for signing new CSR file, the new .pem files also automatically created in /etc/ssl/newcerts/ with the name sequence 02.pem, 03.pem, 04.pem...).
Open the /etc/ssl/newcerts/01.pem file then copy and paste everything beginning with the line:
-----BEGIN CERTIFICATE-----

and continuing through the line:

----END CERTIFICATE-----

to a new file named nhut.crt (for easy to remember). So, the nhut.crt would be

-----BEGIN CERTIFICATE----- 

<hash line>

----END CERTIFICATE----- 
Now, we have certificate nhut.crt, but our purpose is to use this certificate for applying Window IIS Website. The next step will be convert this certificate file to Window format, we need 3 kind of file to do this conversion:
=> The private key : pk.key
=> The certificate file need to be converted: nhut.crt
=> The certificate file of CA: /etc/ssl/certs/cacert.pem

openssl pkcs12 -export -out window_cert.pfx -inkey pk.key -in nhut.crt -certfile cacert.pem
Or we can copy /etc/ssl/certs/cacert.pem to cacert.crt for futher using.

(s.key in above picture is the same to pk.key, and cacert.crt ~ cacert.pem).

Enter password for export, copy this window_cert.pfx to window server, import to My computer.
Configure IIS for using this certificate:



The result showed (don't worry, the host name here might be www.nhut.com, or www.nhutnb.com depend on the "Common Name" we created before *.nhut.com or *.nhutnb.com... ):



Source: https://help.ubuntu.com/lts/serverguide/certificates-and-security.html