Menu

CA server with Easy-RSA

Install server

We use the certificate server to create certificates and enable secure connection between all our servers and services. We do not need large resources for CA server. I choose 1Gb RAM, a CPU and 10Gb hard disk but we can run it on 512Mb RAM and 3Gb HD.

 

sudo virt-install --virt-type kvm --name ca \
  --location \
  deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
  --memory 1024 \
  --vcpus 1 \
  --disk pool=vmdisks,size=10,format=qcow2 \
  --network bridge=br0 \
  --hvm \
  --graphics none \
  --console pty,target_type=serial \
  --extra-args "console=ttyS0"

Set Up and Configure a Certificate Authority (CA)

Easy-RSA is a Certificate Authority management tool that you will use to generate a private key and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.

Installing Easy-RSA

Becouse Easy-RSA is just bunch of script and not application I will download and unpack archive:

 

sudo apt update
sudo apt install easy-rsa

 

At this point you have everything you need set up and ready to use Easy-RSA. In the next step you will create a Public Key Infrastructure, and then start building your Certificate Authority.

Preparing a Public Key Infrastructure Directory

Non root user should manage and interact with the CA without elevated privileges.

 

sudo mkdir /srv/easy-rsa
sudo chown -R emir:emir /srv/easy-rsa
sudo chmod 700 /srv/easy-rsa
ln -s /usr/share/easy-rsa/* /srv/easy-rsa/
cd /srv/easy-rsa
./easyrsa clean-all
touch pki/.rand
touch pki/index.txt

 

Creating a Certificate Authority

Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you will cd into the easy-rsa/pki directory, then you will create and edit the vars file with vim or your preferred text editor:

 

if [ -z "$EASYRSA_CALLER" ]; then
  echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
  echo "This is no longer necessary and is disallowed. See the section called" >&2
  echo "'How to use this file' near the top comments for more details." >&2
  return 1
fi

set_var EASYRSA_DN  "org"
set_var EASYRSA_REQ_COUNTRY "BA"
set_var EASYRSA_REQ_PROVINCE  "Province"
set_var EASYRSA_REQ_CITY  "Citu"
set_var EASYRSA_REQ_ORG "Organisation"
set_var EASYRSA_REQ_EMAIL "administrator@yourdomain.com"
set_var EASYRSA_REQ_OU    "Organisations unit"

set_var EASYRSA_KEY_SIZE  2048
set_var EASYRSA_ALGO    rsa
set_var EASYRSA_CA_EXPIRE 10950
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS  180
set_var EASYRSA_CERT_RENEW  30
set_var EASYRSA_RAND_SN "yes"
set_var EASYRSA_NS_COMMENT  "Your Organisation Certificate"
set_var EASYRSA_DIGEST    "sha512"

 

To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option:

 

./easyrsa build-ca
sudo cp pki/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

 

Using Easy-RSA to generate keypairs & requests

Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This request is what a CA needs in order to generate and return a signed certificate.

Ideally you should never generate entity keypairs for a client or server in a PKI you are using for your CA. It is best to separate this process and generate keypairs only on the systems you plan to use them.

Create server certificate

 

./easyrsa gen-req dc01 nopass
./easyrsa sign-req server dc01
./easyrsa gen-req dc02 nopass
./easyrsa sign-req server dc02
./easyrsa gen-req mail nopass
./easyrsa sign-req server mail
./easyrsa gen-req srv01 nopass
./easyrsa sign-req server srv01
./easyrsa gen-req srv02 nopass
./easyrsa sign-req server srv02

 

Check certificate

 

openssl x509 -in pki/issued/dc01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc01.crt
openssl x509 -in pki/issued/dc02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc02.crt
openssl x509 -in pki/issued/mail.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/mail.crt
openssl x509 -in pki/issued/srv01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv01.crt
openssl x509 -in pki/issued/srv02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv02.crt

 

Transfer certificates

 

scp pki/ca.crt pki/issued/dc01.crt pki/private/dc01.key dc01:
scp pki/ca.crt pki/issued/dc02.crt pki/private/dc02.key dc02:
scp pki/ca.crt pki/issued/mail.crt pki/private/mail.key mail:
scp pki/ca.crt pki/issued/srv01.crt pki/private/srv01.key srv01:
scp pki/ca.crt pki/issued/srv02.crt pki/private/srv02.key srv02:

Emir Tucek