At some point, usually multiple points, a sysadmin/operator/devops/whatever needs a certificate authority (CA). At first this seems easy, then it seems hard, then you think you know what you are doing but you don’t, and I’m not sure you ever do. But you still need that CA. Even if you are using some sort of fancy certificate managment system (such as Hashicorp Vault) you still probably need to manage your top level CA.
Perhaps easy-rsa is the answer? Certainly it is “an answer.” :)
As usual I am using Ubuntu 16.04/Xenial and there does seem to be a package for easy-rsa
easyrsa$ sudo apt install easy-rsa
easyrsa$ dpkg --list easy-rsa
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================-=======================-=======================-===============================================================================
ii easy-rsa 2.2.2-2 all Simple shell based CA utility
So we have version 2.2.2-2.
Presumably we have an easyrsa command?
easyrsa:~/vurt$ which easy-rsa
easyrsa:~/vurt$ which easyrsa
oops no.
Maybe there are some docs somewhere.
easyrsa:~/vurt$ locate easy-rsa | grep README
/usr/share/doc/easy-rsa/README-2.0.gz
/usr/share/doc/easy-rsa/README.Debian
Aha!
easyrsa:~/vurt$ cat /usr/share/doc/easy-rsa/README.Debian
easy-rsa for Debian
-------------------
easy-rsa is a set of scripts to easy the administration of a Certificate
Authority. For example to manage openvpn scripts.
The effortless way to use it is calling "make-cadir DIRECTORY", which will
create a new directory with symlinks to the scripts and a copy of the
configuration files so you can edit them to suit your needs.
i.e.
~$ make-cadir my_ca
~$ cd my_ca
~/my_ca$ vi vars
-- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 12 Nov 2012 18:18:57 +0100
Improving security of created certificates
------------------------------------------
easy-rsa defaults use 2048 bits for keylength and 10 years (3650 days) as
certificate lifetime.
bettercrypto.org suggests increasing the keylength to 4096 bits and decreasing
the certificate lifetime. You can change those values in the 'vars' file of your
CA directory.
-- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 07 Jan 2014 12:36:35 +0100
Seems like make-cadir is the way to go.
easyrsa:~$ make-cadir my_ca
easyrsa:~$ cd my_ca/
easyrsa:~/my_ca$ ls
build-ca build-inter build-key-pass build-key-server build-req-pass inherit-inter openssl-0.9.6.cnf openssl-1.0.0.cnf revoke-full vars
build-dh build-key build-key-pkcs12 build-req
What’s in vars?
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ grep -v "^#\|^$" vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"
Let’s change those.
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ diff vars vars.orig
64,69c64,69
< export KEY_COUNTRY="CA"
< export KEY_PROVINCE="AB"
< export KEY_CITY="Edmonton"
< export KEY_ORG="Serverascode"
< export KEY_EMAIL="curtis@serverascode.com"
< export KEY_OU="OpenStack"
---
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="SanFrancisco"
> export KEY_ORG="Fort-Funston"
> export KEY_EMAIL="me@myhost.mydomain"
> export KEY_OU="MyOrganizationalUnit"
After a bit of googling this seems to be a good set of docs for using this version of easy-rsa.
Source vars and clean all.
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ . vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/ubuntu/my_ca/keys
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ ./clean-all
Build the CA.
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ ./build-ca
Generating a 2048 bit RSA private key
........................................+++
............+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [AB]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [Serverascode]:
Organizational Unit Name (eg, section) [OpenStack]:Certifcate Authority
Common Name (eg, your name or your server's hostname) [Serverascode CA]:
Name [EasyRSA]:
Email Address [curtis@serverascode.com]:
That creates this directory and the files in it:
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ ls keys/
ca.crt ca.key index.txt serial
Build an intermediate key.
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ ./build-inter inter
Generating a 2048 bit RSA private key
.............................................+++
........+++
writing new private key to 'inter.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [AB]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [Serverascode]:
Organizational Unit Name (eg, section) [OpenStack]:Intermediate CA
Common Name (eg, your name or your server's hostname) [inter]:
Name [EasyRSA]:
Email Address [curtis@serverascode.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/ubuntu/my_ca/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'AB'
localityName :PRINTABLE:'Edmonton'
organizationName :PRINTABLE:'Serverascode'
organizationalUnitName:PRINTABLE:'Intermediate CA'
commonName :PRINTABLE:'inter'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'curtis@serverascode.com'
Certificate is to be certified until Jul 26 18:32:25 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Build a certificate request and sign it.
ubuntu@vc-tor1-2-easyrsa:~/my_ca$ ./build-key mycert
Generating a 2048 bit RSA private key
..+++
.............................................+++
writing new private key to 'mycert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [AB]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [Serverascode]:
Organizational Unit Name (eg, section) [OpenStack]:
Common Name (eg, your name or your server's hostname) [mycert]:
Name [EasyRSA]:
Email Address [curtis@serverascode.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/ubuntu/my_ca/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'AB'
localityName :PRINTABLE:'Edmonton'
organizationName :PRINTABLE:'Serverascode'
organizationalUnitName:PRINTABLE:'OpenStack'
commonName :PRINTABLE:'mycert'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'curtis@serverascode.com'
Certificate is to be certified until Jul 26 16:34:19 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This was just a quick exploration of easy-rsa. I should note that the version available by default on Ubuntu 16.04 is a bit older. In another post I’ll explore a more recent version of easy-rsa.