The document discusses how to operate a certificate authority using OpenSSL on Linux. It explains that a CA has a unique key pair that is used to sign certificates. The CA's public key is distributed and trusted globally in the certificate hierarchy. A CA's main responsibilities are to sign certificate signing requests after verifying requester identity, maintain the security of its private key, and revoke compromised certificates. It then demonstrates how to generate a CA private key, self-sign the CA certificate, set up the OpenSSL configuration files, and sign a certificate signing request to issue a certificate.
The document discusses how to operate a certificate authority using OpenSSL on Linux. It explains that a CA has a unique key pair that is used to sign certificates. The CA's public key is distributed and trusted globally in the certificate hierarchy. A CA's main responsibilities are to sign certificate signing requests after verifying requester identity, maintain the security of its private key, and revoke compromised certificates. It then demonstrates how to generate a CA private key, self-sign the CA certificate, set up the OpenSSL configuration files, and sign a certificate signing request to issue a certificate.
The document discusses how to operate a certificate authority using OpenSSL on Linux. It explains that a CA has a unique key pair that is used to sign certificates. The CA's public key is distributed and trusted globally in the certificate hierarchy. A CA's main responsibilities are to sign certificate signing requests after verifying requester identity, maintain the security of its private key, and revoke compromised certificates. It then demonstrates how to generate a CA private key, self-sign the CA certificate, set up the OpenSSL configuration files, and sign a certificate signing request to issue a certificate.
I want to talk about operating a certificate authority.
So in order to do that, we need to understand certificate authorities a little bit better. So what really makes a certificate authority is a unique key pair. It's a special key pair that they use to send certificates and that public key is well known and trusted throughout the world generally. The CA public key is typically been signed by another CA that is trusted. So we're looking at the hierarchy. Your intermediate certificate authority is generally signed by some root certificate authority that's well-trusted. So the certificate authority has really 3 primary responsibilities. They sign valid certificate signing requests, and sometimes they do additional due diligence to make sure that the requester is in fact who they claim to be. They also maintain the security of their private key. That is very important. If a certificate authority's private key becomes compromised, then anything that they have signed is also compromised. The last major responsibility they have is revoking compromised or misused certificates and they can do that using the online certificate status protocol or the older CRL or certificate revocation lists. So now let's take a look at how we can use the OpenSSL command to act as certificate authority. So the first thing I want to talk about before we actually start running commands is that you actually see in the CA documentation for OpenSSL, that it was never really intended to be a full functioning certificate authority, and documentation actually describes the OpenSSL program as downright unfriendly. So keep that in mind if you're following along that the command is a little unfriendly at times, and the error messages are not super obvious, but I'm going to cover the very basics on how you can sign a certificate running a CA on your own box using OpenSSL CA. So the first thing I want to show you real quick. So if you just run an openssl ca on a system where nothing has been configured, it'll give you some clues as to where you can start putting things. The first clue that it gives you is where the openssl.cnf file is. And this file is where all of your certificate authority configurations are kept. So as you can see when we ran it, it shows us what configuration file it's using. And then it goes to on to show us where it's looking for the CA's private key. And as you can see from these error messages here, that it was unable to find that private key. So let's fix that. First we'll clear the screen. And then we'll run the OpenSSL command to make a new private key that we can use for our CA. So as you can see, we're using the genrsa subcommand again to make our private key. And in this situation, I've used triple deaths as our encryption algorithm, just to show you some different options that you have. A specified a 2048 bit key length. And instead of using the -out flag to output to a file, I'm simply using Bash redirection to output to a file. Both are equally valid. You will also notice I'm outputting to the file that OpenSSL CA was looking for earlier. It'll ask us for a passphrase, as it always does, when we use encryption. And that's all you have to do to create a private key for certificate authority. The next part is what's particularly important. This is the part where we sign our own certificate so that we have a valid public key for our certificate signing authority. So you may notice that this command looks somewhat familiar to a command I ran in the last demonstration and you're correct. It's very similar to the command I used to assign our own certificate as a noncertificate authority. The only difference is that I'm using the set_serial flag here to set our serial number for the certificate, which is required for a CA cert. Aside from set_serial though, it is the same as the other command where we're using the req subcommand specifying the type of file, specifying the encoding of utf8, specifying it as a new certificate, providing the private key we created, specifying that it is an x509 certificate, a validation period in days, and then the output file. And just like before, it's going to prompt us for the passphrase for our CA key. And then we're going to be prompted for some more information about the certificate. I'm going to stop here for just a second. It is required that we specify a state or province because OpenSSL CA will use this province information to check against submitted certificate signing requests. And that generates our self-signed signing certificate. So I've cleared the screen and I do want to be transparent. I've created a couple of files that are necessary for working with the OpenSSL CA command: first of those is an index file that's used by OpenSSL CA and the second is a serial file. These files have to exist in order for OpenSSL CA to work. There's more information on how these files are created in the study guide that accompanies this course. The index file is blank. And the serial file contains the initial serial number 00 that is used by the certificate authority to keep track of issued certificates. They live in the /etc/pki/ca directory. So now I'm going to clear the screen, and let's see how we would sign a CSR. So we use the openssl ca command here and the input file is our certificate signing request, and the output file will be signed certificate. When we attempt to sign it we are prompted for the passphrase to our private key for our certificate authority. Then we are presented with information from the signing request and given the prompt as to whether or not we'd like to sign the certificate, and then we're allowed one more final validation that we do in fact want to sign the certificate. Now the certificate has been signed by our local CA Just like before we can use the x509 subcommand to view the contents of the certificate. Let's clear the screen and take a quick look. Just like before, we provide the in-file of the certificate, the flags, text, and noout, and then we'll pipe it to Les. And here you can see the information contained in the certificate. And that is how you can create public private key pair to create your own ticket signing authority, and then use that key pair to sign a certificate signing request. I hope you've enjoyed this demonstration. Please be sure to mark this video complete.