We use the certificate server to create certificates and enable secure connection between all our servers and services. We do not need large resources for CA server. I choose 1Gb RAM, a CPU and 10Gb hard disk but we can run it on 512Mb RAM and 3Gb HD.
sudo virt-install --virt-type kvm --name ca \
--location \
https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
--memory 1024 \
--vcpus 1 \
--disk pool=vmdisks,size=10,format=qcow2 \
--network bridge=br0 \
--hvm \
--graphics none \
--console pty,target_type=serial \
--extra-args "console=ttyS0"Configure Debian
Edit nano /etc/network/interfaces and set a static IP address:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ens2
iface ens2 inet static
address 10.115.100.3/24
gateway 10.115.100.1sudo nano /etc/resolv.conf
search yourdomain.com
nameserver 1.1.1.1Set the system language to English to make it easier to find problems in the logs:
apt install locales-all
localectl set-locale LANG=en_US.utf8
localectl statusUpdate Debian and install the necessary administration tools
apt update
apt install wget sudo screen nmap telnet tcpdump rsync net-tools dnsutils htop \
apt-transport-https vim gnupg lsb-releaseCreate nano /etc/sudoers.d/10-nopasswd and add
%emir ALL=(ALL) NOPASSWD: ALLConfigure VIM
Open nano /etc/vim/vimrc and replace all its contents with:
runtime! debian.vim
syntax on
set background=dark
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
filetype plugin indent on
set encoding=utf-8
set nobackup
set nowritebackup
set showcmd
set updatetime=300
set showmatch
set ignorecase
set smartcase
set incsearch
set tabstop=2
set softtabstop=2
set shiftwidth=2
set expandtab
if filereadable("/etc/vim/vimrc.local")
source /etc/vim/vimrc.local
endifCreate users vim config file nano ~/.vimrc and add:
set mouse=
set nocompatible
set cursorline
set nocursorcolumn
set nowrap
set showmode
set hlsearch
set wildmenu
set wildmode=list:longest
set wildignore=*.docx,*.jpg,*.png,*.gif,*.pdf,*.pyc,*.exe,*.flv,*.img,*.xlsxFrom now on we will use VIM insteed for nano.
Set Up and Configure a Certificate Authority (CA)
Easy-RSA is a Certificate Authority management tool that you will use to generate a private key and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.
Installing Easy-RSA
Becouse Easy-RSA is just bunch of script and not application I will download and unpack archive:
sudo apt update
sudo apt install easy-rsaAt this point you have everything you need set up and ready to use Easy-RSA. In the next step you will create a Public Key Infrastructure, and then start building your Certificate Authority.
Preparing a Public Key Infrastructure Directory
Non root user should manage and interact with the CA without elevated privileges.
sudo mkdir /srv/easy-rsa
sudo chown -R emir:emir /srv/easy-rsa
sudo chmod 700 /srv/easy-rsa
ln -s /usr/share/easy-rsa/* /srv/easy-rsa/
cd /srv/easy-rsa
./easyrsa clean-all
touch pki/.rand
touch pki/index.txtCreating a Certificate Authority
Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you will cd into the easy-rsa/pki directory, then you will create and edit the vars file with vim or your preferred text editor:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "BA"
set_var EASYRSA_REQ_PROVINCE "Province"
set_var EASYRSA_REQ_CITY "Citu"
set_var EASYRSA_REQ_ORG "Organisation"
set_var EASYRSA_REQ_EMAIL "administrator@yourdomain.com"
set_var EASYRSA_REQ_OU "Organisations unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 10950
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_CERT_RENEW 30
set_var EASYRSA_RAND_SN "yes"
set_var EASYRSA_NS_COMMENT "Your Organisation Certificate"
set_var EASYRSA_DIGEST "sha512"To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option:
./easyrsa build-ca
sudo cp pki/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesUsing Easy-RSA to generate keypairs & requests
Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This request is what a CA needs in order to generate and return a signed certificate.
Ideally you should never generate entity keypairs for a client or server in a PKI you are using for your CA. It is best to separate this process and generate keypairs only on the systems you plan to use them.
Create server certificate
./easyrsa gen-req dc01 nopass
./easyrsa sign-req server dc01
./easyrsa gen-req dc02 nopass
./easyrsa sign-req server dc02
./easyrsa gen-req mail nopass
./easyrsa sign-req server mail
./easyrsa gen-req srv01 nopass
./easyrsa sign-req server srv01
./easyrsa gen-req srv02 nopass
./easyrsa sign-req server srv02Check certificate
openssl x509 -in pki/issued/dc01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc01.crt
openssl x509 -in pki/issued/dc02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc02.crt
openssl x509 -in pki/issued/mail.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/mail.crt
openssl x509 -in pki/issued/srv01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv01.crt
openssl x509 -in pki/issued/srv02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv02.crtTransfer certificates
scp pki/ca.crt pki/issued/dc01.crt pki/private/dc01.key dc01:
scp pki/ca.crt pki/issued/dc02.crt pki/private/dc02.key dc02:
scp pki/ca.crt pki/issued/mail.crt pki/private/mail.key mail:
scp pki/ca.crt pki/issued/srv01.crt pki/private/srv01.key srv01:
scp pki/ca.crt pki/issued/srv02.crt pki/private/srv02.key srv02: