CA Server - OpenSSL

Показать описание

In this video, we show how to create a Certificate Authority Server using OpenSSL

A number of IT devices are managed through a web browser but these are supplied with a self-signed certificate

Aside from the annoying warning from the web browser that the certificate is not trusted, it's not a good security practice to use self-signed certificates

Instead, if you only use signed certificates from a certificate authority your web browser trusts, you are much more likely to spot a suspicious web site, whether private or public and avoid it

Once set up properly, the CA server can issue certificates to computers on your network and you can then connect to them securely through a web browser

We will be using an Ubuntu server for this installation but OpenSSL is available on other platforms

NOTE: In a large environment it is best to set up intermediary CA servers as well
However, given the lack of interest the likes of Google has in certificate revocation, we will only create a Root CA
Because if the intermediary server is compromised, it would be easier to replace the Root CA

NOTE: Google Chrome web browser insist on a Subject Alternate Name in the certificate, even if the server has only one name

Useful links:

=============================
SUPPORT THE CHANNEL
Donate through Paypal:
Donate through Buy Me A Coffee:
Become a monthly contributor on Patreon:
Become a monthly contributor on YouTube:
==============================

==============================
MEDIA LINKS:
==============================

Steps taken:
1) Create the Root CA VM
Create a VM to install Ubuntu server for instance
(1vCPU, 1GB RAM, 16GB HDD, 1vNIC)
During the install process, opt to encrypt the disk and to install OpenSSH
However, do not install any other applications when prompted

2) Basic configuration
After enabling UFW, create folders for the CA
mkdir -p ca/{private,certs,newcerts,csr}
chmod -v 700 ca/private
Create an index file and serial file for the CA
touch ca/index
openssl rand -hex 16 ca/serial

NOTE: Check the video as the last line is missing redirect symbol which the description box does not accept

3) Create the Root CA private key
cd ca

4) Create the CA config file
See comment

5) Create the root CA self-signed certificate

6) Create a server private key

7) Create a server CSR, using a config file
See comment
Check for the SAN

8) Sign the server certificate request
Check for the SAN

9) Configure web browser to trust the root CA
Firefox
Settings | Privacy & Security | View Certificates | Authorities | Import

Brave
Settings | Privacy & Security | Security | Manage certificates | Authorities | Import

10) Upload private key and certificate to the server, configure it to use these, then test on web browser

=====================================
Credits:
LoveLife | Instrumental Prod. Blue Mango | EQMUSEQ.COM by Don Da Vinci

openssl install,openssl install linux,openssl install ubuntu,openssl config file,ssl certificate,certificate authority,openssl ubuntu,openssl install ubuntu 20.04,openssl ubuntu 20.04,openssl ubuntu 20.04 install,ca server,certificate authority server,openssl ca server,openssl certificate authority server,how to create ca server,how to create certificate server,openssl,openssl installation

00:00 Intro
01:56 Timelines
02:30 Why create a CA?
08:09 How it works
13:20 Virtualization
16:00 Certificate revocation
24:08 Build VM
28:27 Initial set up
39:30 CA private key
49:34 Open SSL config file
59:28 CA certificate
01:11:40 Server private key
01:14:04 Server CSR
01:21:15 Sign CSR
01:30:34 Install Root certificate and test

CA Server - OpenSSL

Рекомендации по теме

Комментарии

Config files used in the video below...

NOTE: The policy has since been changed and match is not used for the Organization name. This is because some CSRs were found to cause problems when signing, where even though the Organization name was the same, openssl generated an error saying they didn't match

*** root-ca.conf ***

[ ca ]
# 'man ca'
# Used by the ca command
default_ca = CA_default

[ CA_default ]
# Directory and file locations
dir = .
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand
# RANDFILE is for storing seed data for random number generation

# Root CA certificate and key locations
certificate = $dir/certs/root-ca.crt
private_key = $dir/private/root-ca.key

# Default message digest, we'll opt for SHA2 256bits
default_md = sha256

name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_strict

[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
# 'man req'
# Used by the req command
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256

# Extensions to use for -x509
x509_extensions = server_cert

[ req_distinguished_name ]
# Certificate signing request
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Defaults
countryName_default = GB
stateOrProvinceName_default = England
organizationName_default = TempLab

[ v3_ca ]
# ' man x509v3_config'
# Extensions for root CA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# `man x509v3_config`
# Extensions for client certificates
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

---

*** csr/testserver-csr.conf ***

[ req ]
# 'man req'
# Used by the req command
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[ req_distinguished_name ]
# Certificate signing request
countryName = GB
stateOrProvinceName = England
organizationName = TempLab
commonName = test.templab.lan

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = test.templab.lan
IP.1 = 172.16.21.20

TechTutorialsDavidMcKone

One thing I have always hated when attending training courses is how the instructors have you enter commands but never explain why. Your comments are priceless and greatly appreciated. Not only are you easy to follow but more importantly, it's easy to understand why. Thank you for putting in the time for making the videos!

bambam

How come you don't have thousands subscribers and views??? This video is BY FAR the best I've found out regarding OpenSSL for PKI. Thank you sir for your video!

charles.oliveira

David, I struggled for over 3-4 months to create my own CA server, thank you for sharing this knowledge and for explaining everything so well. I really appreciate your work and knowledge, greetings from Mexico

digitalpunkdaft

Excellent job on this video. So very helpful. the SSL world can get really complicated with Self Signed CA and Server Keys and Certificates. You've helped make it so much more clear.

gonzo

Thank you for this David! This subject is not generally covered very well in my opinion (novice) - your explanations, while somewhat lengthy, are very illuminating to me. Certificates have been a big mystery to me and all of this is very helpful. I hope to be signing some certificates soon thanks to you!

jonathanrider

Hi David,
Also from me a big thank you for the excellent video about certificates. It helped me a lot understanding the whole process of certificate handling. I guess this detailed 1h40min+ video took you easily one day :)
Thanks and enjoy your coffee :)
Mark

DrLevi

Thank you for your effort to provide a great resource on openssl !! It helped me immensely to make my private network more secure.

itssoaztek

Really interesting post, thanks. Its true that revocation, at least for internet browsers, is currently broken, but there are very valid use cases where it can still be useful. For the purposes of a private home lab CA this solution is perfect. Nice and simple, assuming a basic level understanding on how certificates and CA's work, and doesnt require a private CA infrastructure, which would be overkill in this situation. In a business setting though I'd really consider the security implications as this approach does ignore some of the widely accepted good practice. Also, beyond a really small implementation I'd suggest that its too labour intensive and prone to errors. If you're issuing certificates for any public facing servers then there are great solutions from the likes of Lets Encrypt, but thats a different use case. Great video.

flymoracer

Great Video! I have implemented Internal certificate Authority in our environment. It is working well. Good explanation. Once again, thank you.

krishnaspicy

Content is awesome, will be trying this in my lab later this week. One improvement would be to use bigger font or zoom into the work area to read more easily.

pama

Добрый день! Класс, все получилось! Спасибо Вам большое!

eocmvzc

hi David ive setup a rootca and setup apache with the server certificates however im using an ip address and my browser isnt trusting the connection despite installing the rootca.crt to the web browsers certificate store. my question is do i need to setup a dns server before setting this up?

vbttioc

I already have servers with IIS and paid SSL Certificate does implementing OpenSSL effect the certificate on those servers?

HusseinHusseinx

Thank for this great tutorial @Tech Tutorials - David McKone!
Was wondering: If somehow you had problems with your ca server vm (for example upgrading linux doesn't go well) and you decide you want a new server VM, do you just install a new VM and copy over everything in /home/caadmin to the new server and all is well or is it more complicated than that?

alphenit

@Tech Tutorial, I am thinking about setting up a RootCA ubuntu server. My chrome browser has issues connecting to my internet webserver or other admin pages on the inside of my network. Certificates is still difficult to get the browser to behave right if it gets a self signed certificate. At lease the sarfai browser would give the error but does give an option to access the website. I have not had a change to view your video completely, does it cost to get a legit certificate or make my server a RootCA? I would like to make everything on my network to require https: Not being a experience Linux person, sometimes its difficult to follow all the steps.
Thank you

sidneyking

Very informative video.. I have a OpenSSL query.. if you can help.. In the 'ecstresstest' I want to know the key value of 'kP256DefaultResult' if I set NUM_REPEATS equals 100 only.. can you tell me how to find that?

marinatyres

In your video at 50:00 you reference a root-ca.conf file. Where to locate this file? I do not see it in my ca folder. thank you

sidneyking

you missed a big part in configuration - crls or ocsp setup. Otherwise good.

bcthales

Thank you and i am sorry its not even 17 minutes i am at deep sleep 😴😴😴 Could have just made the video 30 minutes Max. There's too much talking alot beating around bush using vector graphics. Sorry bro i don't like it tbh

He-Is-One-and-Only

CA Server - OpenSSL

CA Server - OpenSSL

OpenSSL Certification Authority (CA) on Ubuntu Server

How to create a valid self signed SSL Certificate?

Create Your Own SSL Certificate Authority (on Linux)

How to create self signed SSL certificate using OpenSSL

3. OpenSSL - CA certificates

OpenSSL Step By Step Tutorial | How to Generate Keys, Certificates & CSR Using OpenSSL

Key Players of SSL & TLS: Client, Server, Certificate Authority (CA) - Practical TLS

How to create self signed SSL certificate using OpenSSL

Certificates and Certificate Authority Explained

Create and sign certs with OpenSSL

openSSL CA Server

Create & sign SSL/TLS certificates with openssl

Certificates from Scratch - X.509 Certificates explained

Create Your Own SSL Certificate Authority (Windows)

OpenSSL basics: Generating a certificate and installing full chain on a Apache web server

Creating valid CA, Server, and Client Certificates Using OpenSSL

SSL Chain of Trust | How SSL Chain Works | Root Cert, Intermediate Certificate, Server Certificate

Server Certificates - Self Signed and LetsEncrypt Certificates for the LAN

Self-Hosted TRUST with your own Certificate Authority!

Vertrauenswürdige SSL Zertifikate selbst erstellen! Einfache Schritt-für-Schritt Anleitung

Quick and Easy Local SSL Certificates for Your Homelab!

How to generate Server Certificate/Server.crt/Server.key

OpenSSL How To Renew A Certificate