website/content/blog/internalca.md
2024-07-04 15:46:38 -07:00

3.3 KiB

title date draft tags medium_enabled
Quick CA for internal LAN 2020-04-18T16:26:53-04:00 false
Networking
Security
true

Setting up trusted HTTPs inside a network without exposure to the Internet requires creating a Certificate Authority. The audience for this post is oriented for people setting up services in a small low threat model environment. Additional cautions should be applied when setting this up for a business, for example working off an intermediate CA.

We're going to be using CFSSL, this is Cloudflare's PKI toolkit to accomplish this. To install on Ubuntu,

sudo apt install golang-cfssl

Creating the CA

This tool makes heavy use of JSON for its configuration. To setup a CA, first let's create csr_ca.json that contains the following information

{
  "CN": "Common Name",
  "key": {
    "algo": "rsa",
    "size": 2048 
  },
    "names": [
       {
         "C": "US",
         "O": "Orgnaization",
         "OU": "Organizational Unit",
         "ST": "Washington",
         "L": "Locality"
       }
    ]
}

Where C is the two-letter country code and ST is the full state name.

Then to create the certificate authority

cfssl gencert -initca csr_ca.json | cfssljson -bare ca

This will create the following files

Filename Purpose
ca.pem Public Certificate
ca-key.pem Private Key
ca.csr Certificate Signing Request

Creating Certficates

Now we can create SSL certificates for whatever websites we wish by specifying in a file we'll call csr_client.json

{
  "hosts": [
    "example.com",
    "*.example.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
     {
       "C": "US",
       "O": "Orgnaization",
       "OU": "Organizational Unit",
       "ST": "Washington",
       "L": "Locality"
     }
  ]
}

Then to create the certs,

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem csr_client.json | cfssljson -bare cert

It will create the private key, public certificate, and CSR just like the previous command. By default the certificate will last for one year and has the following usages:

  • Signing
  • Key Encipherment
  • Server Authentication
  • Client Authentication

To have more full grained control over the certificate usages and expiry time, I will defer you to the documentation. It involves creating another JSON file to pass as a flag into cfssl gencert.

Trusting the CA

On Linux, I know of two different ways to trust the CA depending on your distribution.

Ubuntu Derivative

First you need to copy the ca.pem file over to /usr/local/share/ca-certificates/.

sudo mv ca.pem /usr/local/share/ca-certificates

Then you need to execute

sudo update-ca-certificates

Fedora Derivative

Copy ca.pem over to /etc/pki/ca-trust/source/anchors.

sudo mv ca.pem /etc/pki/ca-trust/source/anchors

Then execute

sudo update-ca-trust

Special Instructions for Firefox

Firefox has its own certificate store that you can add ca.pem to by accessing Preferences->Privacy & Security->Security->Certificates->View Certificates->Authorities->Import. The exact trail might have changed by the time you read this.