website/content/blog/internalca.md
2024-07-04 15:46:38 -07:00

132 lines
3.3 KiB
Markdown

---
title: "Quick CA for internal LAN"
date: 2020-04-18T16:26:53-04:00
draft: false
tags: ["Networking", "Security"]
medium_enabled: true
---
Setting up trusted HTTPs inside a network without exposure to the Internet requires creating a Certificate Authority. The audience for this post is oriented for people setting up services in a small low threat model environment. Additional cautions should be applied when setting this up for a business, for example working off an intermediate CA.
We're going to be using [CFSSL](https://blog.cloudflare.com/introducing-cfssl/), this is Cloudflare's PKI toolkit to accomplish this. To install on Ubuntu,
```bash
sudo apt install golang-cfssl
```
## Creating the CA
This tool makes heavy use of JSON for its configuration. To setup a CA, first let's create `csr_ca.json` that contains the following information
```json
{
"CN": "Common Name",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"O": "Orgnaization",
"OU": "Organizational Unit",
"ST": "Washington",
"L": "Locality"
}
]
}
```
Where `C` is the two-letter country code and `ST` is the full state name.
Then to create the certificate authority
```bash
cfssl gencert -initca csr_ca.json | cfssljson -bare ca
```
This will create the following files
| Filename | Purpose |
| ---------- | --------------------------- |
| ca.pem | Public Certificate |
| ca-key.pem | Private Key |
| ca.csr | Certificate Signing Request |
## Creating Certficates
Now we can create SSL certificates for whatever websites we wish by specifying in a file we'll call `csr_client.json`
```json
{
"hosts": [
"example.com",
"*.example.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"O": "Orgnaization",
"OU": "Organizational Unit",
"ST": "Washington",
"L": "Locality"
}
]
}
```
Then to create the certs,
```bash
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem csr_client.json | cfssljson -bare cert
```
It will create the private key, public certificate, and CSR just like the previous command. By default the certificate will last for one year and has the following usages:
- Signing
- Key Encipherment
- Server Authentication
- Client Authentication
To have more full grained control over the certificate usages and expiry time, I will defer you to the documentation. It involves creating another JSON file to pass as a flag into `cfssl gencert`.
## Trusting the CA
On Linux, I know of two different ways to trust the CA depending on your distribution.
### Ubuntu Derivative
First you need to copy the `ca.pem` file over to `/usr/local/share/ca-certificates/`.
```bash
sudo mv ca.pem /usr/local/share/ca-certificates
```
Then you need to execute
```bash
sudo update-ca-certificates
```
### Fedora Derivative
Copy `ca.pem` over to `/etc/pki/ca-trust/source/anchors`.
```bash
sudo mv ca.pem /etc/pki/ca-trust/source/anchors
```
Then execute
```bash
sudo update-ca-trust
```
### Special Instructions for Firefox
Firefox has its own certificate store that you can add `ca.pem` to by accessing Preferences->Privacy & Security->Security->Certificates->View Certificates->Authorities->Import. The exact trail might have changed by the time you read this.