So next,

I want to talk about operating a certificate authority.

So in order to do that,
we need to understand certificate authorities a
little bit better.
So what really makes a certificate authority is a
unique key pair.
It's a special key pair that they use to send certificates
and
that public key is well known and trusted
throughout the world generally.
The CA public key is typically been signed by another CA
that is trusted.
So we're looking at the hierarchy.
Your intermediate certificate authority is generally signed
by some root certificate authority that's well-trusted.
So the certificate authority has really 3 primary
responsibilities.
They sign valid certificate signing requests,
and sometimes they do additional due diligence to make sure
that the requester
is in fact who they claim to be.
They also maintain the security of their private key.
That is very important. If
a certificate authority's private key becomes compromised,
then anything that they have signed is also compromised.
The last major responsibility they have is
revoking compromised or misused certificates
and they can do that using the online certificate status
protocol or
the older CRL
or certificate revocation lists.
So now let's take a look at how we can use the OpenSSL
command to act as certificate authority.
So the first thing I want to talk about before we actually
start running commands is that you actually see in the CA
documentation for OpenSSL,
that it was never really intended to be a full functioning
certificate authority,
and documentation actually describes
the OpenSSL program as downright unfriendly.
So keep that in mind
if you're following along that the command is a little
unfriendly at times,
and the error messages are not super obvious,
but I'm going to cover the very basics on how you can sign a
certificate running a CA on your own box using OpenSSL CA.
So the first thing I want to show you real quick.
So if you just run an openssl ca on a system where nothing
has been configured,
it'll give you some clues as to where you can start
putting things.
The first clue that it gives you is where the openssl.cnf
file is.
And this file is where all of your
certificate authority configurations are kept.
So as you can see when we ran it,
it shows us what configuration file it's using.
And then it goes to on to show us where it's looking for the
CA's private key.
And as you can see from these error messages here,
that it was unable to find that private key.
So let's fix that.
First we'll clear the screen.
And then we'll run the OpenSSL command
to make a new private key
that we can use
for our
CA.
So as you can see, we're using the genrsa subcommand again
to make our private key.
And in this situation,
I've used triple deaths as our encryption algorithm,
just to show you some different options that you have.
A specified a 2048 bit key length.
And instead of using the -out flag to output to a file,
I'm simply using Bash redirection to output to a file.
Both are equally valid.
You will also notice I'm outputting to the file that
OpenSSL CA was looking for earlier.
It'll ask us for a passphrase, as it always does, when we
use encryption.
And that's all you have to do to create a private key for
certificate authority.
The next part is what's particularly important.
This is the part where we sign our own certificate
so that we have a valid public key for
our certificate signing authority.
So you may notice that this command looks somewhat familiar
to a command I ran in the last demonstration
and you're correct.
It's very similar to the command I used to assign
our own certificate
as a noncertificate authority.
The only difference is that I'm using the set_serial
flag here to set our
serial number for the certificate,
which is required for a CA cert.
Aside from set_serial though,
it is the same as the other command where we're using the
req subcommand
specifying the type of file,
specifying the encoding of utf8,
specifying it as a new certificate,
providing the private key we created,
specifying that it is an x509 certificate,
a validation period in days, and then the output file.
And just like before,
it's going to prompt us for the passphrase
for our CA key.
And then we're going to be prompted for some more
information about the certificate.
I'm going to stop here for just a second.
It is required that we specify a state or province because
OpenSSL CA will use this province information to check
against submitted certificate signing requests.
And that generates our self-signed signing certificate.
So I've cleared the screen and
I do want to be transparent.
I've created a couple of files that are necessary for
working with the OpenSSL CA command:
first of those is an index file that's used by OpenSSL CA
and the second is a serial file.
These files have to exist in order for OpenSSL CA to work.
There's more information on how these files are created in
the study guide that accompanies this course.
The index file is blank.
And the serial file contains the initial serial number
00
that is used by the certificate authority to keep track
of issued certificates.
They live in the /etc/pki/ca directory.
So now I'm going to clear the screen, and let's see how we
would sign a CSR.
So we use the openssl ca command here
and the input file is our certificate signing request,
and the output file will be signed certificate.
When we attempt to sign it
we are prompted
for the passphrase
to our
private key for our certificate authority.
Then we are presented with information from the signing
request
and given the prompt as to whether or not we'd like
to sign the certificate,
and then we're allowed one more final validation that we do
in fact want to sign the certificate.
Now the certificate has been signed by our local CA
Just like before we can use the x509
subcommand to view the contents of the certificate.
Let's clear the screen and take a quick look.
Just like before, we provide the in-file of the certificate,
the flags, text, and noout, and then we'll pipe it to Les.
And here you can see the information
contained in the certificate.
And that is how you can create public private key pair
to create your own ticket signing authority,
and then use that key pair to sign a certificate signing
request.
I hope you've enjoyed this demonstration.
Please be sure to mark this video complete.