Skip to content
/ public-key-infrastructure-example Public

An example of public key infrastructure with an offline root certificate authority on linux

License

MIT license
5 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

delphian/public-key-infrastructure-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

230 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

intermediate_ca_home_openssl.cnf

intermediate_ca_home_openssl.cnf

 
 

intermediate_ca_public_openssl.cnf

intermediate_ca_public_openssl.cnf

 
 

root_ca_openssl.cnf

root_ca_openssl.cnf

 
 

Repository files navigation

Public Key Infrastructure Example

An example of public key infrastructure with an offline root certificate authority on linux. A package of scripts to make setting up and maintaining an offline root certificate authority just a bit easier.

For HomeLab Experimentation Only

^
|
--------------------------<<<<<<<<<<<<<<<<< Did you see?

Prerequisites

4 Boxes The file structure is constructed so that all scripts and services may be run on a single machine for testing purposes

  • Box ca-offline.guardtone.com: Offline root Certificate Authority (CA)
  • Box ca.guardtone.com: OCSP responder and CRL host for offline root Certificate Authority (CA)
  • Box ca.home.guardtone.com: Intermediate Certificate Authority (CA) for intranet
  • Box ca-public.guardtone.com: Intermediate Certificate Authority (CA) for internet

Installation

Provision All Machines

  • Install Ubuntu Server 16.04 with SSH server packages on all machines
  • From non priviledged user directory clone and enter repository 
    sudo apt-get install apache2
git clone https://github.com/delphian/public-key-infrastructure-example.git
cd public-key-infrastructure-example

Customize Variables After Cloning Repository

Customize All Files for your Domain

  • Replace all instances of camel case GuardTone, and lowecase guardtone with your domain name 
    sed -i -- 's/GuardTone/MyHomeLab/g' *
sed -i -- 's/guardtone/myhomelab/g' *

Customize All OpenSSL Config Files

  • Edit *-openssl.cnf
  • Replace the geographic location variables with appropriate values 
    countryName_default             = US
stateOrProvinceName_default     = California
localityName_default            = Victorville

Box: ca-offline.guardtone.com (Offline Root CA)

  • Remove wifi card. Unplug physical network cable. Disable CD/DVD and USB boot in BIOS. Disable Integrated wifi and bluetooth in BIOS.
  • Create file structure 
    mkdir -p "/root/ca/private" "/root/ca/csr" "/root/ca/certs" "/root/ca/crl"
touch "/root/ca/index.txt"
echo 1000 > "/root/ca/serial"
echo 1000 > "/root/ca/crlnumber"
  • Create Root CA private key and self sign certificate. CN could be GuardTone Root Certificate Authority 
    openssl ecparam -genkey -name secp384r1 \
   | openssl ec -out "/root/ca/private/ca-offline.guardtone.com.key.pem"
openssl req -config "./root_ca_openssl.cnf" \
            -new -x509 -sha384 -days 10950 \
            -extensions v3_ca \
            -key "/root/ca/private/ca-offline.guardtone.com.key.pem" \
            -out "/root/ca/certs/ca-offline.guardtone.com.crt.pem"
  • Create (or update) CRL 
    openssl ca -config "./root_ca_openssl.cnf" -gencrl -out "/root/ca/crl/revoked.crl"

Box: ca.guardtone.com (OCSP Responder and CRL Host)

  • Create file structure 
    mkdir -p "/root/ca/private" "/root/ca/csr" "/root/ca/certs" "/root/ca/crl"
  • Create OCSP Resolver private key and CSR. CN must be ocsp.ca.guardtone.com 
    openssl ecparam -genkey -name secp384r1 \
   | openssl ec -out "/root/ca/private/ocsp.ca.guardtone.com.key.pem"
openssl req -config "./root_ca_openssl.cnf" \
            -new \
            -key "/root/ca/private/ocsp.ca.guardtone.com.key.pem" \
            -out "/root/ca/csr/ocsp.ca.guardtone.com.csr"
  • Create CRL host private key and CSR. CN must be crl.ca.guardtone.com 
    openssl ecparam -genkey -name secp384r1 \
   | openssl ec -out "/root/ca/private/crl.ca.guardtone.com.key.pem"
openssl req -config "./root_ca_openssl.cnf" \
            -new \
            -key "/root/ca/private/crl.ca.guardtone.com.key.pem" \
            -out "/root/ca/csr/crl.ca.guardtone.com.csr"
  • Copy CSRs to ca-offline.guardtone.com:/root/ca/csr

Box: ca-offline.guardtone.com (Offline Root CA)

  • Sign OCSP responder CSR creating certificate good for 14 days using ocsp config file options, then review certificate 
    openssl ca -config "./root_ca_openssl.cnf" \
           -extensions ocsp -days 14 -md sha384 \
           -in "/root/ca/csr/ocsp.ca.guardtone.com.csr" \
           -out "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem"
openssl x509 -noout -text -in "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem"
  • Sign CRL host CSR creating certificate good for 14 days using server_cert config file options, then review certificate 
    openssl ca -config "./root_ca_openssl.cnf" \
           -extensions server_cert -days 14 -md sha384 \
           -in "/root/ca/csr/crl.ca.guardtone.com.csr" \
           -out "/root/ca/certs/crl.ca.guardtone.com.crt.pem"
openssl x509 -noout -text -in "/root/ca/certs/crl.ca.guardtone.com.crt.pem"
  • Copy OCSP, CRL, and Root CA certificates to ca.guardtone.com:/root/ca/certs
  • Copy /root/ca/index.txt OCSP database to ca.guardtone.com:/root/ca
  • Copy /root/ca/crl/revoked.crl CRL to ca.guardtone.com:/root/ca/crl

Box: ca.guardtone.com (OCSP Responder and CRL Host)

  • Launch the OCSP responder with OpenSSL 
    openssl ocsp -port 2560 -text -sha256 -ignore_err \
             -index "/root/ca/index.txt" \
             -CA "/root/ca/certs/ca-offline.guardtone.com.crt.pem" \
             -rkey "/root/ca/private/ocsp.ca.guardtone.com.key.pem" \
             -rsigner "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem" &
  • Update Apache with CRL 
    cp /root/ca/crl/revoked.crl /var/www/html/guardtone-ca-revoked.crl

Box: ca-public.guardtone.com (Online Intermediate Public CA)

  • Create file structure 
    mkdir -p "/root/ca/intermediate/public/private" \
         "/root/ca/intermediate/public/csr" \
         "/root/ca/intermediate/public/certs" \
         "/root/ca/intermediate/public/crl"
touch "/root/ca/intermediate/public/index.txt"
echo 1000 > "/root/ca/intermediate/public/serial"
echo 1000 > "/root/ca/intermediate/public/crlnumber"
  • Create Intermediate CA private key and CSR. CN could be GuardTone Intermediate Public Certificate Authority 
    openssl ecparam -genkey -name secp384r1 \
   | openssl ec -out "/root/ca/intermediate/public/private/ca-public.guardtone.com.key.pem"
openssl req -config "./intermediate_ca_public_openssl.cnf" \
            -new \
            -key "/root/ca/intermediate/public/private/ca-public.guardtone.com.key.pem" \
            -out "/root/ca/intermediate/public/csr/ca-public.guardtone.com.csr"
  • Copy CSRs to ca-offline.guardtone.com:/root/ca/csr

Box: ca-offline.guardtone.com (Offline Root CA)

  • Sign intermediate CA CSR creating certificate good for 3650 days using v3_intermediate_ca config file options, then review certificate 
    openssl ca -config "./root_ca_openssl.cnf" \
           -extensions v3_intermediate_ca -days 3650 -md sha384 \
           -in "/root/ca/csr/ca-public.guardtone.com.csr" \
           -out "/root/ca/certs/ca-public.guardtone.com.crt.pem"
openssl x509 -noout -text -in "/root/ca/certs/ca-public.guardtone.com.crt.pem"
  • Copy Intermediate CA certificate to ca-public.guardtone.com:/root/ca/intermediate/public/certs

Box: ca-public.guardtone.com (Online Intermediate Public CA)

  • Create OCSP CA private key and sign for 3650 days using ocsp config file options. CN must be ocsp.ca-public.guardtone.com 
    openssl ecparam -genkey -name secp384r1 \
   | openssl ec -out "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem"
openssl req -config "./intermediate_ca_public_openssl.cnf" \
            -new \
            -key "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" \
            -out "/root/ca/intermediate/public/csr/ocsp.ca-public.guardtone.com.csr"
openssl ca -config "./intermediate_ca_public_openssl.cnf" \
           -extensions ocsp -days 3650 -md sha384 \
           -in "/root/ca/intermediate/public/csr/ocsp.ca-public.guardtone.com.csr" \
           -out "/root/ca/intermediate/public/certs/ocsp.ca-public.guardtone.com.crt.pem"
  • Create CRL host private key and sign for 3650 days using server_cert config file options, then review certificate. CN must be crl.ca-public.guardtone.com 
    openssl ecparam -genkey -name secp384r1 \
   | openssl ec -out "/root/ca/intermediate/public/private/crl.ca-public.guardtone.com.key.pem"
openssl req -config "./intermediate_ca_public_openssl.cnf" \
            -new \
            -key "/root/ca/intermediate/public/private/crl.ca-public.guardtone.com.key.pem" \
            -out "/root/ca/intermediate/public/csr/crl.ca-public.guardtone.com.csr"
openssl ca -config "./intermediate_ca_public_openssl.cnf" \
           -extensions server_cert -days 3650 -md sha384 \
           -in "/root/ca/intermediate/public/csr/crl.ca-public.guardtone.com.csr" \
           -out "/root/ca/intermediate/public/certs/crl.ca-public.guardtone.com.crt.pem"
  • Create (or update) CRL 
    openssl ca -config "./intermediate_ca_public_openssl.cnf" -gencrl \
           -out "/root/ca/intermediate/public/crl/revoked.crl"
  • Launch the OCSP responder with OpenSSL 
    openssl ocsp -port 2570 -text -sha256 -ignore_err \
             -index "/root/ca/intermediate/public/index.txt" \
             -CA "/root/ca/intermediate/public/certs/ca-public.guardtone.com.crt.pem" \
             -rkey "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" \
             -rsigner "/root/ca/intermediate/public/certs/ocsp.ca-public.guardtone.com.crt.pem" &
  • Update Apache with CRL 
    cp /root/ca/intermediate/public/crl/revoked.crl /var/www/html/guardtone-ca-public-revoked.crl

Resulting File Structure

  • ca-offline.guardtone.com:/root/ca
    • private - Private/Public key pair (of the Root CA)
    • crs - Certificate requests to be processed by the Root CA (Probably from intermediates or Root CA OCSP host)
    • certs - Certificates signed by the Root CA (Including our self signed cert)
    • crl - List of all certificates revoked by the Root CA
  • ca.guardtone.com:/root/ca/ocsp
    • private - Private/Public key pair (of OCSP host)
    • crs - OCSP Certificate Signing Request for presentation to the Root CA
    • certs - Certificates signed by the Root CA (OCSP host certificate for apache)
  • ca-public.guardtone.com:/root/ca/intermediate/public
    • private - Private/Public key pair (of intermediate public CA)
    • crs - Certificate requests to be processed by intermediate public CA (Including our own request to the Root CA)
    • certs - Certificates signed by intermediate public CA (Including intermediate public's own certificate signed by Root CA)
    • crl - List of all certificate revoked by the intermediate public CA
  • ca.home.guardtone.com:/root/ca/intermediate/home
    • private - Private/Public key pair (of intermediate home CA)
    • crs - Certificate requests to be processed by intermediate home CA (Including ou own request to the Root CA)
    • certs - Certificates signed by intermediate home CA (Including intermediate home's own certificate signed by Root CA)
    • crl - List of all certificate revoked by the intermediate home CA

Resources

Introduction

Tutorials and Walkthroughs

Best Practice, Common Mistakes

RFCs

Software

About

An example of public key infrastructure with an offline root certificate authority on linux

Topics

bash openssl pki certificate-authority certificate-revocation-lists root-certificate bash-script ssl-certificates ocsp root-certificates homelab certificate-signing-request ocsp-responder bash-scripts offline-root public-key-certificate home-lab

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published