From LedHed's Wiki
Jump to: navigation, search
(Created page with "== Overview == General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license f...")
 
 
(4 intermediate revisions by the same user not shown)
Line 20: Line 20:
 
* Create a Key
 
* Create a Key
 
** Private Keys Tab -> 'New Key'
 
** Private Keys Tab -> 'New Key'
 +
** Name:  YourDomain-RootCA (Something that makes sense)
 +
** Keytype: RSA (or your preferred encryption algorithm)
 +
** Keysize: 2048 (minimum)
 
* Create a self signed certificate
 
* Create a self signed certificate
 
** Certificates Tab -> 'New Certificate'
 
** Certificates Tab -> 'New Certificate'
** Select your desired 'Signature algorithm' = SHA256 (or higher)
+
** Select your desired 'Signature algorithm' = SHA256 (minimum)
 
** Select the '[default] CA' template and click 'Apply all'
 
** Select the '[default] CA' template and click 'Apply all'
 
** Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
 
** Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
 
** Extensions Tab
 
** Extensions Tab
 
*** Type: Certificate Authority
 
*** Type: Certificate Authority
*** Path length: 2 (or 3+ depending on how many levels of Subordinate CA's you plan to implement).
+
*** Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement).
 
*** Set the Validity period to something reasonable: 10 to 20 years is typical.
 
*** Set the Validity period to something reasonable: 10 to 20 years is typical.
*** CRL distribution point:  URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
+
*** CRL distribution point:  Leave this blank
 
** Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
 
** Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
 
** Click 'OK' to create the Root Certificate.
 
** Click 'OK' to create the Root Certificate.
 +
 +
Export the Root Cert to a USB Drive, and add it to the Subordinate CA's Trusted Root Authorities Certificate Store.
 +
 +
 +
== Sign Subordinate CSRs ==
 +
Setup ADCS on your designated Issuing CA hosts. Export CSR files to a USB Drive.
 +
Plug the USB drive into the Offline Root, then sign the CSR in XCA
 +
* Certificate signing requests Tab
 +
* Click Import, open the CSR on the USB Drive
 +
* Highlight the imported CSR, Right click and select 'Sign'
 +
** Extensions Tab
 +
** Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have).
 +
** Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs).
 +
** CRL distribution point:  URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
 +
* Click 'OK'
 +
 +
 +
== Create CRLs ==
 
* Create the CRL
 
* Create the CRL
 
** Certificates Tab
 
** Certificates Tab
*** Right Click the cert you just created, click 'CA', click 'Generate CRL'
+
*** Right Click the Root Cert, click 'CA', click 'Generate CRL'
 
*** Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
 
*** Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
*** Hashing algorithm: SHA256 (or higher)
+
*** Hashing algorithm: SHA256 (minimum)
 
*** Click 'OK'
 
*** Click 'OK'
 
** Export the CRL
 
** Export the CRL
 
*** Revocation lists Tab
 
*** Revocation lists Tab
 
*** Select the CRL you just created and click 'Export'
 
*** Select the CRL you just created and click 'Export'
*** Filename should match the CRL URI you used when creating the Root Cert. In this example it was ''your.crl''
+
*** Filename should match the CRL URI you used when signing the SubCA Cert. In this example it was ''your.crl''
 
*** Export Format: PEM
 
*** Export Format: PEM
 
*** Click 'OK'
 
*** Click 'OK'
  
 +
Copy the CRL to the USB Drive, then copy the CRL to the web server you specified in the CDP URI (http://pki.yourdomain.com/your.crl). This needs to be reachable by the ADCS SubCA prior to installing the Signed SubCA Certificate.
 +
Shutdown the Offline CA and store it in a secure location. Optionally create an encrypted USB Drive and copy the XCA database to it and store it in a secure off-site location (gotta have backups).
 +
 +
 +
== Install the Subordinate CA Cert ==
 +
Export the Subordinate Certs to the USB Drive and Import them into the ADCS SubCAs
 +
* Certificate Authority MMC Snap-in
 +
** Select the CA Node, Right Click and select 'Install Certificate'
  
  
 
== Security ==
 
== Security ==
 
Take precautions to secure your Root CA's operating system.
 
Take precautions to secure your Root CA's operating system.
1) Perform a minimal GUI install.
+
# Perform a minimal GUI install. (GUI only because of XCA, I suggest installing just X11 and a lightweight Window Manager like OpenBox)
2) Use strong passwords
+
# Use strong passwords
3) Don't install SSH. Remove it if OpenSSH-Server is installed by default.
+
# Don't install SSH. Remove it if OpenSSH-Server is installed by default.
4) Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled).
+
# Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled).
5) Create an encrypted volume to store your Keys and the XCA database.
+
# Create an encrypted volume to store your Keys and the XCA database.
6) Transfer CSR and CRL files using a USB drive.
+
# Transfer CSR and CRL files using a USB drive.
  
  

Latest revision as of 22:00, 3 March 2017

Overview

General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license for a host that will be offline 99% of the time. This article describes how to use a free open source alternative for your Root CA. Keep in mind that only the Root CA will be Linux based, the Issuing/Subordinate Certificate Authorities will be running ADCS.


Linux/BSD

Linux is a free open source operating system (ya I know Linux is actually just the kernel). It provides a very robust and solid platform for this task. Case in point most Internet facing Certificate Authorities are likely running on Linux or a BSD derivative.

Distribution selection is entirely up to you, and most of what I put in this article will apply to BSD based OSes also. In this example I will use Debian, but FreeBSD is an equally capable.


XCA

I find Certificate Management a real pain, so I will be using XCA. XCA is a GUI frontend for certificate management. You can quickly create keys, self signed certs, and CRLs with just a few clicks of a button.

Installation

apt-get install xca

or

pkg install xca

Configuration

  • Create a Key
    • Private Keys Tab -> 'New Key'
    • Name: YourDomain-RootCA (Something that makes sense)
    • Keytype: RSA (or your preferred encryption algorithm)
    • Keysize: 2048 (minimum)
  • Create a self signed certificate
    • Certificates Tab -> 'New Certificate'
    • Select your desired 'Signature algorithm' = SHA256 (minimum)
    • Select the '[default] CA' template and click 'Apply all'
    • Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
    • Extensions Tab
      • Type: Certificate Authority
      • Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement).
      • Set the Validity period to something reasonable: 10 to 20 years is typical.
      • CRL distribution point: Leave this blank
    • Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
    • Click 'OK' to create the Root Certificate.

Export the Root Cert to a USB Drive, and add it to the Subordinate CA's Trusted Root Authorities Certificate Store.


Sign Subordinate CSRs

Setup ADCS on your designated Issuing CA hosts. Export CSR files to a USB Drive. Plug the USB drive into the Offline Root, then sign the CSR in XCA

  • Certificate signing requests Tab
  • Click Import, open the CSR on the USB Drive
  • Highlight the imported CSR, Right click and select 'Sign'
    • Extensions Tab
    • Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have).
    • Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs).
    • CRL distribution point: URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
  • Click 'OK'


Create CRLs

  • Create the CRL
    • Certificates Tab
      • Right Click the Root Cert, click 'CA', click 'Generate CRL'
      • Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
      • Hashing algorithm: SHA256 (minimum)
      • Click 'OK'
    • Export the CRL
      • Revocation lists Tab
      • Select the CRL you just created and click 'Export'
      • Filename should match the CRL URI you used when signing the SubCA Cert. In this example it was your.crl
      • Export Format: PEM
      • Click 'OK'

Copy the CRL to the USB Drive, then copy the CRL to the web server you specified in the CDP URI (http://pki.yourdomain.com/your.crl). This needs to be reachable by the ADCS SubCA prior to installing the Signed SubCA Certificate. Shutdown the Offline CA and store it in a secure location. Optionally create an encrypted USB Drive and copy the XCA database to it and store it in a secure off-site location (gotta have backups).


Install the Subordinate CA Cert

Export the Subordinate Certs to the USB Drive and Import them into the ADCS SubCAs

  • Certificate Authority MMC Snap-in
    • Select the CA Node, Right Click and select 'Install Certificate'


Security

Take precautions to secure your Root CA's operating system.

  1. Perform a minimal GUI install. (GUI only because of XCA, I suggest installing just X11 and a lightweight Window Manager like OpenBox)
  2. Use strong passwords
  3. Don't install SSH. Remove it if OpenSSH-Server is installed by default.
  4. Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled).
  5. Create an encrypted volume to store your Keys and the XCA database.
  6. Transfer CSR and CRL files using a USB drive.


Reference

http://www.mbse.eu/linux/homeserver/essential/certificatesxca/

http://xca.sourceforge.net/

https://sourceforge.net/projects/xca/