From LedHed's Wiki
Jump to: navigation, search
(Created page with "== Overview == General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license f...")
 
Line 20: Line 20:
 
* Create a Key
 
* Create a Key
 
** Private Keys Tab -> 'New Key'
 
** Private Keys Tab -> 'New Key'
 +
** Name:  YourDomain-RootCA (Something that makes sense)
 +
** Keytype: RSA (or your preferred encryption algorithm)
 +
** Keysize: 2048 (minimum)
 
* Create a self signed certificate
 
* Create a self signed certificate
 
** Certificates Tab -> 'New Certificate'
 
** Certificates Tab -> 'New Certificate'
** Select your desired 'Signature algorithm' = SHA256 (or higher)
+
** Select your desired 'Signature algorithm' = SHA256 (minimum)
 
** Select the '[default] CA' template and click 'Apply all'
 
** Select the '[default] CA' template and click 'Apply all'
 
** Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
 
** Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
 
** Extensions Tab
 
** Extensions Tab
 
*** Type: Certificate Authority
 
*** Type: Certificate Authority
*** Path length: 2 (or 3+ depending on how many levels of Subordinate CA's you plan to implement).
+
*** Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement).
 
*** Set the Validity period to something reasonable: 10 to 20 years is typical.
 
*** Set the Validity period to something reasonable: 10 to 20 years is typical.
 
*** CRL distribution point:  URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
 
*** CRL distribution point:  URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
Line 36: Line 39:
 
*** Right Click the cert you just created, click 'CA', click 'Generate CRL'
 
*** Right Click the cert you just created, click 'CA', click 'Generate CRL'
 
*** Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
 
*** Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
*** Hashing algorithm: SHA256 (or higher)
+
*** Hashing algorithm: SHA256 (minimum)
 
*** Click 'OK'
 
*** Click 'OK'
 
** Export the CRL
 
** Export the CRL
Line 44: Line 47:
 
*** Export Format: PEM
 
*** Export Format: PEM
 
*** Click 'OK'
 
*** Click 'OK'
 +
 +
 +
== Sign Subordinate CSRs ==
 +
Setup ADCS on your designated Issuing CA hosts. Export CSR files to a USB Drive.
 +
Plug the USB drive into the Offline Root, then sign the CSR in XCA
 +
* Certificate signing requests Tab
 +
* Click Import, open the CSR on the USB Drive
 +
* Highlight the imported CSR, Right click and select 'Sign'
 +
** Extensions Tab
 +
** Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have).
 +
** Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs).
 +
* Click 'OK'
  
  

Revision as of 22:39, 2 March 2017

Overview

General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license for a host that will be offline 99% of the time. This article describes how to use a free open source alternative for your Root CA. Keep in mind that only the Root CA will be Linux based, the Issuing/Subordinate Certificate Authorities will be running ADCS.


Linux/BSD

Linux is a free open source operating system (ya I know Linux is actually just the kernel). It provides a very robust and solid platform for this task. Case in point most Internet facing Certificate Authorities are likely running on Linux or a BSD derivative.

Distribution selection is entirely up to you, and most of what I put in this article will apply to BSD based OSes also. In this example I will use Debian, but FreeBSD is an equally capable.


XCA

I find Certificate Management a real pain, so I will be using XCA. XCA is a GUI frontend for certificate management. You can quickly create keys, self signed certs, and CRLs with just a few clicks of a button.

Installation

apt-get install xca

or 

pkg install xca

Configuration

  • Create a Key
    • Private Keys Tab -> 'New Key'
    • Name: YourDomain-RootCA (Something that makes sense)
    • Keytype: RSA (or your preferred encryption algorithm)
    • Keysize: 2048 (minimum)
  • Create a self signed certificate
    • Certificates Tab -> 'New Certificate'
    • Select your desired 'Signature algorithm' = SHA256 (minimum)
    • Select the '[default] CA' template and click 'Apply all'
    • Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
    • Extensions Tab
      • Type: Certificate Authority
      • Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement).
      • Set the Validity period to something reasonable: 10 to 20 years is typical.
      • CRL distribution point: URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
    • Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
    • Click 'OK' to create the Root Certificate.
  • Create the CRL
    • Certificates Tab
      • Right Click the cert you just created, click 'CA', click 'Generate CRL'
      • Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
      • Hashing algorithm: SHA256 (minimum)
      • Click 'OK'
    • Export the CRL
      • Revocation lists Tab
      • Select the CRL you just created and click 'Export'
      • Filename should match the CRL URI you used when creating the Root Cert. In this example it was your.crl
      • Export Format: PEM
      • Click 'OK'


Sign Subordinate CSRs

Setup ADCS on your designated Issuing CA hosts. Export CSR files to a USB Drive. Plug the USB drive into the Offline Root, then sign the CSR in XCA

  • Certificate signing requests Tab
  • Click Import, open the CSR on the USB Drive
  • Highlight the imported CSR, Right click and select 'Sign'
    • Extensions Tab
    • Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have).
    • Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs).
  • Click 'OK'


Security

Take precautions to secure your Root CA's operating system. 1) Perform a minimal GUI install. 2) Use strong passwords 3) Don't install SSH. Remove it if OpenSSH-Server is installed by default. 4) Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled). 5) Create an encrypted volume to store your Keys and the XCA database. 6) Transfer CSR and CRL files using a USB drive.


Reference

http://www.mbse.eu/linux/homeserver/essential/certificatesxca/

http://xca.sourceforge.net/

https://sourceforge.net/projects/xca/

Retrieved from "http://wiki.ledhed.net/index.php?title=ADCS_with_Linux/BSD_based_Offline_Root_CA&oldid=3380"