CA server with Easy-RSA
Install server
We use the certificate server to create certificates and enable secure connection between all our servers and services. We do not need large resources for CA server. I choose 1Gb RAM, a CPU and 10Gb hard disk but we can run it on 512Mb RAM and 3Gb HD.
sudo virt-install --virt-type kvm --name ca \
--location \
deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
--memory 1024 \
--vcpus 1 \
--disk pool=vmdisks,size=10,format=qcow2 \
--network bridge=br0 \
--hvm \
--graphics none \
--console pty,target_type=serial \
--extra-args "console=ttyS0"
Set Up and Configure a Certificate Authority (CA)
Easy-RSA is a Certificate Authority management tool that you will use to generate a private key and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.
Installing Easy-RSA
Becouse Easy-RSA is just bunch of script and not application I will download and unpack archive:
sudo apt update
sudo apt install easy-rsa
At this point you have everything you need set up and ready to use Easy-RSA. In the next step you will create a Public Key Infrastructure, and then start building your Certificate Authority.
Preparing a Public Key Infrastructure Directory
Non root user should manage and interact with the CA without elevated privileges.
sudo mkdir /srv/easy-rsa
sudo chown -R emir:emir /srv/easy-rsa
sudo chmod 700 /srv/easy-rsa
ln -s /usr/share/easy-rsa/* /srv/easy-rsa/
cd /srv/easy-rsa
./easyrsa clean-all
touch pki/.rand
touch pki/index.txt
Creating a Certificate Authority
Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you will cd into the easy-rsa/pki directory, then you will create and edit the vars file with vim or your preferred text editor:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "BA"
set_var EASYRSA_REQ_PROVINCE "Province"
set_var EASYRSA_REQ_CITY "Citu"
set_var EASYRSA_REQ_ORG "Organisation"
set_var EASYRSA_REQ_EMAIL "administrator@yourdomain.com"
set_var EASYRSA_REQ_OU "Organisations unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 10950
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_CERT_RENEW 30
set_var EASYRSA_RAND_SN "yes"
set_var EASYRSA_NS_COMMENT "Your Organisation Certificate"
set_var EASYRSA_DIGEST "sha512"
To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option:
./easyrsa build-ca
sudo cp pki/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Using Easy-RSA to generate keypairs & requests
Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This request is what a CA needs in order to generate and return a signed certificate.
Ideally you should never generate entity keypairs for a client or server in a PKI you are using for your CA. It is best to separate this process and generate keypairs only on the systems you plan to use them.
Create server certificate
./easyrsa gen-req dc01 nopass
./easyrsa sign-req server dc01
./easyrsa gen-req dc02 nopass
./easyrsa sign-req server dc02
./easyrsa gen-req mail nopass
./easyrsa sign-req server mail
./easyrsa gen-req srv01 nopass
./easyrsa sign-req server srv01
./easyrsa gen-req srv02 nopass
./easyrsa sign-req server srv02
Check certificate
openssl x509 -in pki/issued/dc01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc01.crt
openssl x509 -in pki/issued/dc02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc02.crt
openssl x509 -in pki/issued/mail.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/mail.crt
openssl x509 -in pki/issued/srv01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv01.crt
openssl x509 -in pki/issued/srv02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv02.crt
Transfer certificates
scp pki/ca.crt pki/issued/dc01.crt pki/private/dc01.key dc01:
scp pki/ca.crt pki/issued/dc02.crt pki/private/dc02.key dc02:
scp pki/ca.crt pki/issued/mail.crt pki/private/mail.key mail:
scp pki/ca.crt pki/issued/srv01.crt pki/private/srv01.key srv01:
scp pki/ca.crt pki/issued/srv02.crt pki/private/srv02.key srv02: