Рет қаралды 22,890
In this video, we show how to create a Certificate Authority Server using OpenSSL
A number of IT devices are managed through a web browser but these are supplied with a self-signed certificate
Aside from the annoying warning from the web browser that the certificate is not trusted, it's not a good security practice to use self-signed certificates
Instead, if you only use signed certificates from a certificate authority your web browser trusts, you are much more likely to spot a suspicious web site, whether private or public and avoid it
Once set up properly, the CA server can issue certificates to computers on your network and you can then connect to them securely through a web browser
We will be using an Ubuntu server for this installation but OpenSSL is available on other platforms
NOTE: In a large environment it is best to set up intermediary CA servers as well
However, given the lack of interest the likes of Google has in certificate revocation, we will only create a Root CA
Because if the intermediary server is compromised, it would be easier to replace the Root CA
NOTE: Google Chrome web browser insist on a Subject Alternate Name in the certificate, even if the server has only one name
Useful links:
www.openssl.org/docs/manpages...
www.openssl.org/docs/manmaste...
www.openssl.org/docs/man1.0.2...
www.openssl.org/docs/manmaste...
www.openssl.org/docs/man1.0.2...
=============================
SUPPORT THE CHANNEL
Donate through Paypal:
paypal.me/DavidMcKone
Donate through Buy Me A Coffee:
buymeacoffee.com/dmckone
Become a monthly contributor on Patreon:
/ dmckone
Become a monthly contributor on KZbin:
/ @techtutorialsdavidmckone
==============================
==============================
MEDIA LINKS:
Website - www.techtutorials.tv/
Twitter - / dsmckone1
Facebook - / dsmckone
Linkedin - / dmckone
Instagram - / david.mckone
==============================
Steps taken:
1) Create the Root CA VM
Create a VM to install Ubuntu server for instance
(1vCPU, 1GB RAM, 16GB HDD, 1vNIC)
During the install process, opt to encrypt the disk and to install OpenSSH
However, do not install any other applications when prompted
2) Basic configuration
After enabling UFW, create folders for the CA
mkdir -p ca/{private,certs,newcerts,csr}
chmod -v 700 ca/private
Create an index file and serial file for the CA
touch ca/index
openssl rand -hex 16 ca/serial
NOTE: Check the video as the last line is missing redirect symbol which the description box does not accept
3) Create the Root CA private key
cd ca
openssl genrsa -aes256 -out private/root-ca.key 4096
4) Create the CA config file
See comment
5) Create the root CA self-signed certificate
openssl req -config root-ca.conf -extensions v3_ca -key private/root-ca.key -new -x509 -days 3650 -out certs/root-ca.crt
6) Create a server private key
openssl genrsa -out private/testserver.key 2048
7) Create a server CSR, using a config file
See comment
openssl req -new -key private/testserver.key -sha256 -out csr/testserver.csr -config csr/testserver-csr.conf
Check for the SAN
openssl req -noout -text -in csr/testserver.csr | grep -A 1 "Subject Alt"
8) Sign the server certificate request
openssl ca -config root-ca.conf -notext -in csr/testserver.csr -out certs/testserver.crt -extensions req_ext -extfile csr/testserver-csr.conf
Check for the SAN
openssl x509 -text -noout -in certs/testserver.crt | grep -A 1 "Subject Alt"
9) Configure web browser to trust the root CA
Firefox
Settings | Privacy & Security | View Certificates | Authorities | Import
Brave
Settings | Privacy & Security | Security | Manage certificates | Authorities | Import
10) Upload private key and certificate to the server, configure it to use these, then test on web browser
=====================================
Credits:
LoveLife | Instrumental Prod. Blue Mango | EQMUSEQ.COM by Don Da Vinci
soundcloud.com/eqmuseq/loveli...
openssl install,openssl install linux,openssl install ubuntu,openssl config file,ssl certificate,certificate authority,openssl ubuntu,openssl install ubuntu 20.04,openssl ubuntu 20.04,openssl ubuntu 20.04 install,ca server,certificate authority server,openssl ca server,openssl certificate authority server,how to create ca server,how to create certificate server,openssl,openssl installation
00:00 Intro
01:56 Timelines
02:30 Why create a CA?
08:09 How it works
13:20 Virtualization
16:00 Certificate revocation
24:08 Build VM
28:27 Initial set up
39:30 CA private key
49:34 Open SSL config file
59:28 CA certificate
01:11:40 Server private key
01:14:04 Server CSR
01:21:15 Sign CSR
01:30:34 Install Root certificate and test
CA Server - OpenSSL