From LedHed's Wiki
Jump to: navigation, search
(Created page with "== Overview == General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license f...")
(No difference)

Revision as of 22:23, 2 March 2017

Overview

General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license for a host that will be offline 99% of the time. This article describes how to use a free open source alternative for your Root CA. Keep in mind that only the Root CA will be Linux based, the Issuing/Subordinate Certificate Authorities will be running ADCS.


Linux/BSD

Linux is a free open source operating system (ya I know Linux is actually just the kernel). It provides a very robust and solid platform for this task. Case in point most Internet facing Certificate Authorities are likely running on Linux or a BSD derivative.

Distribution selection is entirely up to you, and most of what I put in this article will apply to BSD based OSes also. In this example I will use Debian, but FreeBSD is an equally capable.


XCA

I find Certificate Management a real pain, so I will be using XCA. XCA is a GUI frontend for certificate management. You can quickly create keys, self signed certs, and CRLs with just a few clicks of a button.

Installation

apt-get install xca

or

pkg install xca

Configuration

  • Create a Key
    • Private Keys Tab -> 'New Key'
  • Create a self signed certificate
    • Certificates Tab -> 'New Certificate'
    • Select your desired 'Signature algorithm' = SHA256 (or higher)
    • Select the '[default] CA' template and click 'Apply all'
    • Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
    • Extensions Tab
      • Type: Certificate Authority
      • Path length: 2 (or 3+ depending on how many levels of Subordinate CA's you plan to implement).
      • Set the Validity period to something reasonable: 10 to 20 years is typical.
      • CRL distribution point: URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
    • Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
    • Click 'OK' to create the Root Certificate.
  • Create the CRL
    • Certificates Tab
      • Right Click the cert you just created, click 'CA', click 'Generate CRL'
      • Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
      • Hashing algorithm: SHA256 (or higher)
      • Click 'OK'
    • Export the CRL
      • Revocation lists Tab
      • Select the CRL you just created and click 'Export'
      • Filename should match the CRL URI you used when creating the Root Cert. In this example it was your.crl
      • Export Format: PEM
      • Click 'OK'


Security

Take precautions to secure your Root CA's operating system. 1) Perform a minimal GUI install. 2) Use strong passwords 3) Don't install SSH. Remove it if OpenSSH-Server is installed by default. 4) Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled). 5) Create an encrypted volume to store your Keys and the XCA database. 6) Transfer CSR and CRL files using a USB drive.


Reference

http://www.mbse.eu/linux/homeserver/essential/certificatesxca/

http://xca.sourceforge.net/

https://sourceforge.net/projects/xca/