Contents
Overview
General best practices suggest using an offline Root CA for security. This makes sense, but the challenge I always have it why waste a Windows Server license for a host that will be offline 99% of the time. This article describes how to use a free open source alternative for your Root CA. Keep in mind that only the Root CA will be Linux based, the Issuing/Subordinate Certificate Authorities will be running ADCS.
Linux/BSD
Linux is a free open source operating system (ya I know Linux is actually just the kernel). It provides a very robust and solid platform for this task. Case in point most Internet facing Certificate Authorities are likely running on Linux or a BSD derivative.
Distribution selection is entirely up to you, and most of what I put in this article will apply to BSD based OSes also. In this example I will use Debian, but FreeBSD is an equally capable.
XCA
I find Certificate Management a real pain, so I will be using XCA. XCA is a GUI frontend for certificate management. You can quickly create keys, self signed certs, and CRLs with just a few clicks of a button.
Installation
apt-get install xca
or
pkg install xca
Configuration
- Create a Key
- Private Keys Tab -> 'New Key'
- Name: YourDomain-RootCA (Something that makes sense)
- Keytype: RSA (or your preferred encryption algorithm)
- Keysize: 2048 (minimum)
- Create a self signed certificate
- Certificates Tab -> 'New Certificate'
- Select your desired 'Signature algorithm' = SHA256 (minimum)
- Select the '[default] CA' template and click 'Apply all'
- Subject Tab -> fill in all the fields and make sure the Private Key you created is selected at the bottom.
- Extensions Tab
- Type: Certificate Authority
- Path length: 2 (or greater depending on how many levels of Subordinate CA's you plan to implement).
- Set the Validity period to something reasonable: 10 to 20 years is typical.
- CRL distribution point: URI:http://pki.yourdomain.com/your.crl (comma separated for multiple URIs)
- Key Usage Tab: 'Certificate Sign' and 'CRL Sign' should be highlighted (at minimum).
- Click 'OK' to create the Root Certificate.
- Create the CRL
- Certificates Tab
- Right Click the cert you just created, click 'CA', click 'Generate CRL'
- Specify the last and next updates, and set the validity period. 6mo ~ 1yr is probably reasonable. Keep in mind that this will determine how often you have to turn on your Offline CA and publish a new CRL.
- Hashing algorithm: SHA256 (minimum)
- Click 'OK'
- Export the CRL
- Revocation lists Tab
- Select the CRL you just created and click 'Export'
- Filename should match the CRL URI you used when creating the Root Cert. In this example it was your.crl
- Export Format: PEM
- Click 'OK'
- Certificates Tab
Sign Subordinate CSRs
Setup ADCS on your designated Issuing CA hosts. Export CSR files to a USB Drive. Plug the USB drive into the Offline Root, then sign the CSR in XCA
- Certificate signing requests Tab
- Click Import, open the CSR on the USB Drive
- Highlight the imported CSR, Right click and select 'Sign'
- Extensions Tab
- Path length: 0 (or greater depending on how many down stream Issuing CAs you plan to have).
- Validity: Set the Issuing CA time range to something reasonable like half the life of the Root CA (5yrs).
- Click 'OK'
Export the Subordinate Certs to the USB Drive and Import them into the ADCS SubCAs
Shutdown the Offline CA and store it in a secure location. Optionally create an encrypted USB Drive and copy the XCA database to it and store it in a secure off-site location (gotta have backups).
Security
Take precautions to secure your Root CA's operating system. 1) Perform a minimal GUI install. 2) Use strong passwords 3) Don't install SSH. Remove it if OpenSSH-Server is installed by default. 4) Disable Networking after OS and XCA installation (optionally removing network kernel modules/drivers so it can't be easily re-enabled). 5) Create an encrypted volume to store your Keys and the XCA database. 6) Transfer CSR and CRL files using a USB drive.
Reference
http://www.mbse.eu/linux/homeserver/essential/certificatesxca/