An example of public key infrastructure with an offline root certificate authority on linux. A package of scripts to make setting up and maintaining an offline root certificate authority just a bit easier.
For HomeLab Experimentation Only
^
|
--------------------------<<<<<<<<<<<<<<<<< Did you see?
4 Boxes The file structure is constructed so that all scripts and services may be run on a single machine for testing purposes
- Box ca-offline.guardtone.com: Offline root Certificate Authority (CA)
- Box ca.guardtone.com: OCSP responder and CRL host for offline root Certificate Authority (CA)
- Box ca.home.guardtone.com: Intermediate Certificate Authority (CA) for intranet
- Box ca-public.guardtone.com: Intermediate Certificate Authority (CA) for internet
- Install Ubuntu Server 16.04 with SSH server packages on all machines
- From non priviledged user directory clone and enter repository
sudo apt-get install apache2 git clone https://github.com/delphian/public-key-infrastructure-example.git cd public-key-infrastructure-example
- Replace all instances of camel case
GuardTone, and lowecaseguardtonewith your domain namesed -i -- 's/GuardTone/MyHomeLab/g' * sed -i -- 's/guardtone/myhomelab/g' *
- Edit
*-openssl.cnf - Replace the geographic location variables with appropriate values
countryName_default = US stateOrProvinceName_default = California localityName_default = Victorville
- Remove wifi card. Unplug physical network cable. Disable CD/DVD and USB boot in BIOS. Disable Integrated wifi and bluetooth in BIOS.
- Create file structure
mkdir -p "/root/ca/private" "/root/ca/csr" "/root/ca/certs" "/root/ca/crl" touch "/root/ca/index.txt" echo 1000 > "/root/ca/serial" echo 1000 > "/root/ca/crlnumber"
- Create Root CA private key and self sign certificate. CN could be
GuardTone Root Certificate Authorityopenssl ecparam -genkey -name secp384r1 \ | openssl ec -out "/root/ca/private/ca-offline.guardtone.com.key.pem" openssl req -config "./root_ca_openssl.cnf" \ -new -x509 -sha384 -days 10950 \ -extensions v3_ca \ -key "/root/ca/private/ca-offline.guardtone.com.key.pem" \ -out "/root/ca/certs/ca-offline.guardtone.com.crt.pem"
- Create (or update) CRL
openssl ca -config "./root_ca_openssl.cnf" -gencrl -out "/root/ca/crl/revoked.crl"
- Create file structure
mkdir -p "/root/ca/private" "/root/ca/csr" "/root/ca/certs" "/root/ca/crl"
- Create OCSP Resolver private key and CSR. CN must be
ocsp.ca.guardtone.comopenssl ecparam -genkey -name secp384r1 \ | openssl ec -out "/root/ca/private/ocsp.ca.guardtone.com.key.pem" openssl req -config "./root_ca_openssl.cnf" \ -new \ -key "/root/ca/private/ocsp.ca.guardtone.com.key.pem" \ -out "/root/ca/csr/ocsp.ca.guardtone.com.csr"
- Create CRL host private key and CSR. CN must be
crl.ca.guardtone.comopenssl ecparam -genkey -name secp384r1 \ | openssl ec -out "/root/ca/private/crl.ca.guardtone.com.key.pem" openssl req -config "./root_ca_openssl.cnf" \ -new \ -key "/root/ca/private/crl.ca.guardtone.com.key.pem" \ -out "/root/ca/csr/crl.ca.guardtone.com.csr"
- Copy CSRs to ca-offline.guardtone.com:/root/ca/csr
- Sign OCSP responder CSR creating certificate good for 14 days using
ocspconfig file options, then review certificateopenssl ca -config "./root_ca_openssl.cnf" \ -extensions ocsp -days 14 -md sha384 \ -in "/root/ca/csr/ocsp.ca.guardtone.com.csr" \ -out "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem" openssl x509 -noout -text -in "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem"
- Sign CRL host CSR creating certificate good for 14 days using
server_certconfig file options, then review certificateopenssl ca -config "./root_ca_openssl.cnf" \ -extensions server_cert -days 14 -md sha384 \ -in "/root/ca/csr/crl.ca.guardtone.com.csr" \ -out "/root/ca/certs/crl.ca.guardtone.com.crt.pem" openssl x509 -noout -text -in "/root/ca/certs/crl.ca.guardtone.com.crt.pem"
- Copy OCSP, CRL, and Root CA certificates to
ca.guardtone.com:/root/ca/certs - Copy
/root/ca/index.txtOCSP database toca.guardtone.com:/root/ca - Copy
/root/ca/crl/revoked.crlCRL toca.guardtone.com:/root/ca/crl
- Launch the OCSP responder with OpenSSL
openssl ocsp -port 2560 -text -sha256 -ignore_err \ -index "/root/ca/index.txt" \ -CA "/root/ca/certs/ca-offline.guardtone.com.crt.pem" \ -rkey "/root/ca/private/ocsp.ca.guardtone.com.key.pem" \ -rsigner "/root/ca/certs/ocsp.ca.guardtone.com.crt.pem" & - Update Apache with CRL
cp /root/ca/crl/revoked.crl /var/www/html/guardtone-ca-revoked.crl
- Create file structure
mkdir -p "/root/ca/intermediate/public/private" \ "/root/ca/intermediate/public/csr" \ "/root/ca/intermediate/public/certs" \ "/root/ca/intermediate/public/crl" touch "/root/ca/intermediate/public/index.txt" echo 1000 > "/root/ca/intermediate/public/serial" echo 1000 > "/root/ca/intermediate/public/crlnumber"
- Create Intermediate CA private key and CSR. CN could be
GuardTone Intermediate Public Certificate Authorityopenssl ecparam -genkey -name secp384r1 \ | openssl ec -out "/root/ca/intermediate/public/private/ca-public.guardtone.com.key.pem" openssl req -config "./intermediate_ca_public_openssl.cnf" \ -new \ -key "/root/ca/intermediate/public/private/ca-public.guardtone.com.key.pem" \ -out "/root/ca/intermediate/public/csr/ca-public.guardtone.com.csr"
- Copy CSRs to ca-offline.guardtone.com:/root/ca/csr
- Sign intermediate CA CSR creating certificate good for 3650 days using
v3_intermediate_caconfig file options, then review certificateopenssl ca -config "./root_ca_openssl.cnf" \ -extensions v3_intermediate_ca -days 3650 -md sha384 \ -in "/root/ca/csr/ca-public.guardtone.com.csr" \ -out "/root/ca/certs/ca-public.guardtone.com.crt.pem" openssl x509 -noout -text -in "/root/ca/certs/ca-public.guardtone.com.crt.pem"
- Copy Intermediate CA certificate to ca-public.guardtone.com:/root/ca/intermediate/public/certs
- Create OCSP CA private key and sign for 3650 days using
ocspconfig file options. CN must beocsp.ca-public.guardtone.comopenssl ecparam -genkey -name secp384r1 \ | openssl ec -out "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" openssl req -config "./intermediate_ca_public_openssl.cnf" \ -new \ -key "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" \ -out "/root/ca/intermediate/public/csr/ocsp.ca-public.guardtone.com.csr" openssl ca -config "./intermediate_ca_public_openssl.cnf" \ -extensions ocsp -days 3650 -md sha384 \ -in "/root/ca/intermediate/public/csr/ocsp.ca-public.guardtone.com.csr" \ -out "/root/ca/intermediate/public/certs/ocsp.ca-public.guardtone.com.crt.pem"
- Create CRL host private key and sign for 3650 days using
server_certconfig file options, then review certificate. CN must becrl.ca-public.guardtone.comopenssl ecparam -genkey -name secp384r1 \ | openssl ec -out "/root/ca/intermediate/public/private/crl.ca-public.guardtone.com.key.pem" openssl req -config "./intermediate_ca_public_openssl.cnf" \ -new \ -key "/root/ca/intermediate/public/private/crl.ca-public.guardtone.com.key.pem" \ -out "/root/ca/intermediate/public/csr/crl.ca-public.guardtone.com.csr" openssl ca -config "./intermediate_ca_public_openssl.cnf" \ -extensions server_cert -days 3650 -md sha384 \ -in "/root/ca/intermediate/public/csr/crl.ca-public.guardtone.com.csr" \ -out "/root/ca/intermediate/public/certs/crl.ca-public.guardtone.com.crt.pem"
- Create (or update) CRL
openssl ca -config "./intermediate_ca_public_openssl.cnf" -gencrl \ -out "/root/ca/intermediate/public/crl/revoked.crl"
- Launch the OCSP responder with OpenSSL
openssl ocsp -port 2570 -text -sha256 -ignore_err \ -index "/root/ca/intermediate/public/index.txt" \ -CA "/root/ca/intermediate/public/certs/ca-public.guardtone.com.crt.pem" \ -rkey "/root/ca/intermediate/public/private/ocsp.ca-public.guardtone.com.key.pem" \ -rsigner "/root/ca/intermediate/public/certs/ocsp.ca-public.guardtone.com.crt.pem" & - Update Apache with CRL
cp /root/ca/intermediate/public/crl/revoked.crl /var/www/html/guardtone-ca-public-revoked.crl
ca-offline.guardtone.com:/root/caprivate- Private/Public key pair (of the Root CA)crs- Certificate requests to be processed by the Root CA (Probably from intermediates or Root CA OCSP host)certs- Certificates signed by the Root CA (Including our self signed cert)crl- List of all certificates revoked by the Root CA
ca.guardtone.com:/root/ca/ocspprivate- Private/Public key pair (of OCSP host)crs- OCSP Certificate Signing Request for presentation to the Root CAcerts- Certificates signed by the Root CA (OCSP host certificate for apache)
ca-public.guardtone.com:/root/ca/intermediate/publicprivate- Private/Public key pair (of intermediate public CA)crs- Certificate requests to be processed by intermediate public CA (Including our own request to the Root CA)certs- Certificates signed by intermediate public CA (Including intermediate public's own certificate signed by Root CA)crl- List of all certificate revoked by the intermediate public CA
ca.home.guardtone.com:/root/ca/intermediate/homeprivate- Private/Public key pair (of intermediate home CA)crs- Certificate requests to be processed by intermediate home CA (Including ou own request to the Root CA)certs- Certificates signed by intermediate home CA (Including intermediate home's own certificate signed by Root CA)crl- List of all certificate revoked by the intermediate home CA
- An Overview of Cryptography
- On the Differences between Hiding Information and Cryptography Techniques: An Overview
- Public Key Infrastructure Overview
- Design and Implementation of PKI (For Multi Domain Environment)
- HTTPS in the Real World
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent