/public-key-infrastructure-example

An example of public key infrastructure with an offline root certificate authority on linux

MIT LicenseMIT

Public Key Infrastructure Example

An example of public key infrastructure with an offline root certificate authority on linux. A package of scripts to make setting up and maintaining an offline root certificate authority just a bit easier.

For HomeLab Experimentation Only

^
|
--------------------------<<<<<<<<<<<<<<<<< Did you see?

Prerequisites

4 Boxes The file structure is constructed so that all scripts and services may be run on a single machine for testing purposes

  • Box ca-offline.guardtone.com: Offline root Certificate Authority (CA)
  • Box ca.guardtone.com: OCSP responder and CRL host for offline root Certificate Authority (CA)
  • Box ca.home.guardtone.com: Intermediate Certificate Authority (CA) for intranet
  • Box ca-public.guardtone.com: Intermediate Certificate Authority (CA) for internet

Installation

Provision All Machines

  • Install Ubuntu Server 16.04 with SSH server packages on all machines
  • From non priviledged user directory clone and enter repository
    sudo apt-get install apache2
    git clone https://github.com/delphian/public-key-infrastructure-example.git
    cd public-key-infrastructure-example

Customize Variables After Cloning Repository

Customize All Files for your Domain

  • Replace all instances of camel case GuardTone, and lowecase guardtone with your domain name
    sed -i -- 's/GuardTone/MyHomeLab/g' *
    sed -i -- 's/guardtone/myhomelab/g' *

Customize All OpenSSL Config Files

  • Edit *-openssl.cnf
  • Replace the geographic location variables with appropriate values
    countryName_default             = US
    stateOrProvinceName_default     = California
    localityName_default            = Victorville

Box: ca-offline.guardtone.com (Offline Root CA)

  • Remove wifi card. Unplug physical network cable. Disable CD/DVD and USB boot in BIOS. Disable Integrated wifi and bluetooth in BIOS.
  • Create file structure
    mkdir -p "/root/ca/private" "/root/ca/csr" "/root/ca/certs" "/root/ca/crl"
    touch "/root/ca/index.txt"
    echo 1000 > "/root/ca/serial"
    echo 1000 > "/root/ca/crlnumber"
  • Create Root CA private key and self sign certificate. CN could be GuardTone Root Certificate Authority
    openssl ecparam -genkey -name secp384r1 \
       | openssl ec -out "/root/ca/private/ca-offline.guardtone.com.key.pem"
    openssl req -config "./root_ca_openssl.cnf" \
                -new -x509 -sha384 -days 10950 \
                -extensions v3_ca \
                -key "/root/ca/private/ca-offline.guardtone.com.key.pem" \
                -out "/root/ca/certs/ca-offline.guardtone.com.crt.pem"
  • Create (or update) CRL
    openssl ca -config "./root_ca_openssl.cnf" -gencrl -out "/root/ca/crl/revoked.crl"

Box: ca.guardtone.com (OCSP Responder and CRL Host)

  • Create file structure
    mkdir -p "/root/ca/private" "/root/ca/csr" "/root/ca/certs" "/root/ca/crl"
  • Create OCSP Resolver private key and CSR. CN must be ocsp.ca.guardtone.com
    openssl ecparam -genkey -name secp384r1 \
       | openssl ec -out "/root/ca/private/ocsp.ca.guardtone.com.key.pem"
    openssl req -config "./root_ca_openssl.cnf" \
                -new \
                -key "/root/ca/private/ocsp.ca.guardtone.com.key.pem" \
                -out "/root/ca/csr/ocsp.ca.guardtone.com.csr"
  • Create CRL host private key and CSR. CN must be crl.ca.guardtone.com
    openssl ecparam -genkey -name secp384r1 \
       | openssl ec -out "/root/ca/private/crl.ca.guardtone.com.key.pem"
    openssl req -config "./root_ca_openssl.cnf" \
                -new \
                -key "/root/ca/private/crl.ca.guardtone.com.key.pem" \
                -out "/root/ca/csr/crl.ca.guardtone.com.csr"
  • Copy CSRs to ca-offline.guardtone.com:/root/ca/csr

Box: ca-offline.guardtone.com (Offline Root CA)

  • Sign OCSP responder CSR creating certificate good for 14 days using ocsp config file options, then review certificate
    openssl ca -config "./root_ca_openssl.cnf" \
               -extensions ocsp -days 14 -md sha384 \
               -in "/root/ca/csr/ocsp.ca.guardtone.com.csr" \
               -out "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem"
    openssl x509 -noout -text -in "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem"
  • Sign CRL host CSR creating certificate good for 14 days using server_cert config file options, then review certificate
    openssl ca -config "./root_ca_openssl.cnf" \
               -extensions server_cert -days 14 -md sha384 \
               -in "/root/ca/csr/crl.ca.guardtone.com.csr" \
               -out "/root/ca/certs/crl.ca.guardtone.com.crt.pem"
    openssl x509 -noout -text -in "/root/ca/certs/crl.ca.guardtone.com.crt.pem"
  • Copy OCSP, CRL, and Root CA certificates to ca.guardtone.com:/root/ca/certs
  • Copy /root/ca/index.txt OCSP database to ca.guardtone.com:/root/ca
  • Copy /root/ca/crl/revoked.crl CRL to ca.guardtone.com:/root/ca/crl

Box: ca.guardtone.com (OCSP Responder and CRL Host)

  • Launch the OCSP responder with OpenSSL
    openssl ocsp -port 2560 -text -sha256 -ignore_err \
                 -index "/root/ca/index.txt" \
                 -CA "/root/ca/certs/ca-offline.guardtone.com.crt.pem" \
                 -rkey "/root/ca/private/ocsp.ca.guardtone.com.key.pem" \
                 -rsigner "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem" &
  • Update Apache with CRL
    cp /root/ca/crl/revoked.crl /var/www/html/guardtone-ca-revoked.crl

Box: ca-public.guardtone.com (Online Intermediate Public CA)

  • Create file structure
    mkdir -p "/root/ca/intermediate/public/private" \
             "/root/ca/intermediate/public/csr" \
             "/root/ca/intermediate/public/certs" \
             "/root/ca/intermediate/public/crl"
    touch "/root/ca/intermediate/public/index.txt"
    echo 1000 > "/root/ca/intermediate/public/serial"
    echo 1000 > "/root/ca/intermediate/public/crlnumber"
  • Create Intermediate CA private key and CSR. CN could be GuardTone Intermediate Public Certificate Authority
    openssl ecparam -genkey -name secp384r1 \
       | openssl ec -out "/root/ca/intermediate/public/private/ca-public.guardtone.com.key.pem"
    openssl req -config "./intermediate_ca_public_openssl.cnf" \
                -new \
                -key "/root/ca/intermediate/public/private/ca-public.guardtone.com.key.pem" \
                -out "/root/ca/intermediate/public/csr/ca-public.guardtone.com.csr"
  • Copy CSRs to ca-offline.guardtone.com:/root/ca/csr

Box: ca-offline.guardtone.com (Offline Root CA)

  • Sign intermediate CA CSR creating certificate good for 3650 days using v3_intermediate_ca config file options, then review certificate
    openssl ca -config "./root_ca_openssl.cnf" \
               -extensions v3_intermediate_ca -days 3650 -md sha384 \
               -in "/root/ca/csr/ca-public.guardtone.com.csr" \
               -out "/root/ca/certs/ca-public.guardtone.com.crt.pem"
    openssl x509 -noout -text -in "/root/ca/certs/ca-public.guardtone.com.crt.pem"
  • Copy Intermediate CA certificate to ca-public.guardtone.com:/root/ca/intermediate/public/certs

Box: ca-public.guardtone.com (Online Intermediate Public CA)

  • Create OCSP CA private key and sign for 3650 days using ocsp config file options. CN must be ocsp.ca-public.guardtone.com
    openssl ecparam -genkey -name secp384r1 \
       | openssl ec -out "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem"
    openssl req -config "./intermediate_ca_public_openssl.cnf" \
                -new \
                -key "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" \
                -out "/root/ca/intermediate/public/csr/ocsp.ca-public.guardtone.com.csr"
    openssl ca -config "./intermediate_ca_public_openssl.cnf" \
               -extensions ocsp -days 3650 -md sha384 \
               -in "/root/ca/intermediate/public/csr/ocsp.ca-public.guardtone.com.csr" \
               -out "/root/ca/intermediate/public/certs/ocsp.ca-public.guardtone.com.crt.pem"
  • Create CRL host private key and sign for 3650 days using server_cert config file options, then review certificate. CN must be crl.ca-public.guardtone.com
    openssl ecparam -genkey -name secp384r1 \
       | openssl ec -out "/root/ca/intermediate/public/private/crl.ca-public.guardtone.com.key.pem"
    openssl req -config "./intermediate_ca_public_openssl.cnf" \
                -new \
                -key "/root/ca/intermediate/public/private/crl.ca-public.guardtone.com.key.pem" \
                -out "/root/ca/intermediate/public/csr/crl.ca-public.guardtone.com.csr"
    openssl ca -config "./intermediate_ca_public_openssl.cnf" \
               -extensions server_cert -days 3650 -md sha384 \
               -in "/root/ca/intermediate/public/csr/crl.ca-public.guardtone.com.csr" \
               -out "/root/ca/intermediate/public/certs/crl.ca-public.guardtone.com.crt.pem"
  • Create (or update) CRL
    openssl ca -config "./intermediate_ca_public_openssl.cnf" -gencrl \
               -out "/root/ca/intermediate/public/crl/revoked.crl"
  • Launch the OCSP responder with OpenSSL
    openssl ocsp -port 2570 -text -sha256 -ignore_err \
                 -index "/root/ca/intermediate/public/index.txt" \
                 -CA "/root/ca/intermediate/public/certs/ca-public.guardtone.com.crt.pem" \
                 -rkey "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" \
                 -rsigner "/root/ca/intermediate/public/certs/ocsp.ca-public.guardtone.com.crt.pem" &
  • Update Apache with CRL
    cp /root/ca/intermediate/public/crl/revoked.crl /var/www/html/guardtone-ca-public-revoked.crl

Resulting File Structure

  • ca-offline.guardtone.com:/root/ca
    • private - Private/Public key pair (of the Root CA)
    • crs - Certificate requests to be processed by the Root CA (Probably from intermediates or Root CA OCSP host)
    • certs - Certificates signed by the Root CA (Including our self signed cert)
    • crl - List of all certificates revoked by the Root CA
  • ca.guardtone.com:/root/ca/ocsp
    • private - Private/Public key pair (of OCSP host)
    • crs - OCSP Certificate Signing Request for presentation to the Root CA
    • certs - Certificates signed by the Root CA (OCSP host certificate for apache)
  • ca-public.guardtone.com:/root/ca/intermediate/public
    • private - Private/Public key pair (of intermediate public CA)
    • crs - Certificate requests to be processed by intermediate public CA (Including our own request to the Root CA)
    • certs - Certificates signed by intermediate public CA (Including intermediate public's own certificate signed by Root CA)
    • crl - List of all certificate revoked by the intermediate public CA
  • ca.home.guardtone.com:/root/ca/intermediate/home
    • private - Private/Public key pair (of intermediate home CA)
    • crs - Certificate requests to be processed by intermediate home CA (Including ou own request to the Root CA)
    • certs - Certificates signed by intermediate home CA (Including intermediate home's own certificate signed by Root CA)
    • crl - List of all certificate revoked by the intermediate home CA

Resources

Introduction

Tutorials and Walkthroughs

Best Practice, Common Mistakes

RFCs

Software