(3 intermediate revisions by the same user not shown) | |||
Line 32: | Line 32: | ||
*** Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement). | *** Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement). | ||
*** Set the Validity period to something reasonable: 10 to 20 years is typical. | *** Set the Validity period to something reasonable: 10 to 20 years is typical. | ||
− | *** CRL distribution point: | + | *** CRL distribution point: Leave this blank |
** Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum). | ** Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum). | ||
** Click 'OK' to create the Root Certificate. | ** Click 'OK' to create the Root Certificate. | ||
− | + | ||
− | + | Export the Root Cert to a USB Drive, and add it to the Subordinate CA's Trusted Root Authorities Certificate Store. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
Line 58: | Line 48: | ||
** Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have). | ** Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have). | ||
** Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs). | ** Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs). | ||
+ | ** CRL distribution point: URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs) | ||
* Click 'OK' | * Click 'OK' | ||
+ | |||
+ | == Create CRLs == | ||
+ | * Create the CRL | ||
+ | ** Certificates Tab | ||
+ | *** Right Click the Root Cert, click 'CA', click 'Generate CRL' | ||
+ | *** Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL. | ||
+ | *** Hashing algorithm: SHA256 (minimum) | ||
+ | *** Click 'OK' | ||
+ | ** Export the CRL | ||
+ | *** Revocation lists Tab | ||
+ | *** Select the CRL you just created and click 'Export' | ||
+ | *** Filename should match the CRL URI you used when signing the SubCA Cert. In this example it was ''your.crl'' | ||
+ | *** Export Format: PEM | ||
+ | *** Click 'OK' | ||
+ | |||
+ | Copy the CRL to the USB Drive, then copy the CRL to the web server you specified in the CDP URI (http://pki.yourdomain.com/your.crl). This needs to be reachable by the ADCS SubCA prior to installing the Signed SubCA Certificate. | ||
+ | Shutdown the Offline CA and store it in a secure location. Optionally create an encrypted USB Drive and copy the XCA database to it and store it in a secure off-site location (gotta have backups). | ||
+ | |||
+ | |||
+ | == Install the Subordinate CA Cert == | ||
+ | Export the Subordinate Certs to the USB Drive and Import them into the ADCS SubCAs | ||
+ | * Certificate Authority MMC Snap-in | ||
+ | ** Select the CA Node, Right Click and select 'Install Certificate' | ||
== Security == | == Security == | ||
Take precautions to secure your Root CA's operating system. | Take precautions to secure your Root CA's operating system. | ||
− | + | # Perform a minimal GUI install. (GUI only because of XCA, I suggest installing just X11 and a lightweight Window Manager like OpenBox) | |
− | + | # Use strong passwords | |
− | + | # Don't install SSH. Remove it if OpenSSH-Server is installed by default. | |
− | + | # Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled). | |
− | + | # Create an encrypted volume to store your Keys and the XCA database. | |
− | + | # Transfer CSR and CRL files using a USB drive. | |
Latest revision as of 22:00, 3 March 2017
Contents
Overview
General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license for a host that will be offline 99% of the time. This article describes how to use a free open source alternative for your Root CA. Keep in mind that only the Root CA will be Linux based, the Issuing/Subordinate Certificate Authorities will be running ADCS.
Linux/BSD
Linux is a free open source operating system (ya I know Linux is actually just the kernel). It provides a very robust and solid platform for this task. Case in point most Internet facing Certificate Authorities are likely running on Linux or a BSD derivative.
Distribution selection is entirely up to you, and most of what I put in this article will apply to BSD based OSes also. In this example I will use Debian, but FreeBSD is an equally capable.
XCA
I find Certificate Management a real pain, so I will be using XCA. XCA is a GUI frontend for certificate management. You can quickly create keys, self signed certs, and CRLs with just a few clicks of a button.
Installation
apt-get install xca
or
pkg install xca
Configuration
- Create a Key
- Private Keys Tab -> 'New Key'
- Name: YourDomain-RootCA (Something that makes sense)
- Keytype: RSA (or your preferred encryption algorithm)
- Keysize: 2048 (minimum)
- Create a self signed certificate
- Certificates Tab -> 'New Certificate'
- Select your desired 'Signature algorithm' = SHA256 (minimum)
- Select the '[default] CA' template and click 'Apply all'
- Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
- Extensions Tab
- Type: Certificate Authority
- Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement).
- Set the Validity period to something reasonable: 10 to 20 years is typical.
- CRL distribution point: Leave this blank
- Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
- Click 'OK' to create the Root Certificate.
Export the Root Cert to a USB Drive, and add it to the Subordinate CA's Trusted Root Authorities Certificate Store.
Sign Subordinate CSRs
Setup ADCS on your designated Issuing CA hosts. Export CSR files to a USB Drive. Plug the USB drive into the Offline Root, then sign the CSR in XCA
- Certificate signing requests Tab
- Click Import, open the CSR on the USB Drive
- Highlight the imported CSR, Right click and select 'Sign'
- Extensions Tab
- Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have).
- Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs).
- CRL distribution point: URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
- Click 'OK'
Create CRLs
- Create the CRL
- Certificates Tab
- Right Click the Root Cert, click 'CA', click 'Generate CRL'
- Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
- Hashing algorithm: SHA256 (minimum)
- Click 'OK'
- Export the CRL
- Revocation lists Tab
- Select the CRL you just created and click 'Export'
- Filename should match the CRL URI you used when signing the SubCA Cert. In this example it was your.crl
- Export Format: PEM
- Click 'OK'
- Certificates Tab
Copy the CRL to the USB Drive, then copy the CRL to the web server you specified in the CDP URI (http://pki.yourdomain.com/your.crl). This needs to be reachable by the ADCS SubCA prior to installing the Signed SubCA Certificate. Shutdown the Offline CA and store it in a secure location. Optionally create an encrypted USB Drive and copy the XCA database to it and store it in a secure off-site location (gotta have backups).
Install the Subordinate CA Cert
Export the Subordinate Certs to the USB Drive and Import them into the ADCS SubCAs
- Certificate Authority MMC Snap-in
- Select the CA Node, Right Click and select 'Install Certificate'
Security
Take precautions to secure your Root CA's operating system.
- Perform a minimal GUI install. (GUI only because of XCA, I suggest installing just X11 and a lightweight Window Manager like OpenBox)
- Use strong passwords
- Don't install SSH. Remove it if OpenSSH-Server is installed by default.
- Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled).
- Create an encrypted volume to store your Keys and the XCA database.
- Transfer CSR and CRL files using a USB drive.
Reference
http://www.mbse.eu/linux/homeserver/essential/certificatesxca/