In any modern organization, there is an important security subsystem called cryptography. This subsystem provides important properties of information security such as confidentiality, integrity, and authenticity. All three of these are needed in secure transport, management, and access. Cryptography and security mechanisms built on it are a vast topic and out of the scope of our book. But we are going to briefly demonstrate how to create a certificate system based on OpenSSL.
OpenSSL is a free software utility. You can download a binary copy to run on your Windows installation from https://www.openssl.org/community/binaries.html. OpenSSL is all you need to create your own private certificate authority.
So, download this software and extract in a folder on one of your servers. In our case, we use C:OpenSSL directory on our domain controller (dc.lab.local).
The process for creating our own certificate authority is pretty straightforward:
- Create a private key.
- Self sign.
- Install a root CA on workstations.
Once we do that, every service that we used can be protected by a certificate created with the following steps:
- Create a certificate.
- Sign the certificate with a root CA key.
First, we need to generate a root key which will be used further in a root certificate. It can be done with the following command:
openssl genrsa -out rootCA.key 2048
Here:
2048: This is our key length in bitsrootCA.key: This is a filename of our root key
After that, we execute a second command for creating a self-signed root certificate:
openssl req -x509 -new -key rootCA.key -days 1200 -out rootCA.crt
Here:
rootCA.key: This is our secret key of CA1200: This is the validity period of our certificate in days (1,200 days approximately equals 3 years)
Here, we are asked a few questions; you can answer them as you like:
Country Name (2 letter code) [US]: RU State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Moscow Organization Name (eg, company) [Internet Widgits Pty Ltd]: Test Lab Organizational Unit Name (eg, section) []: Lab Common Name (e.g. server FQDN or YOUR name) []: lab.local Email Address []: [email protected]
After these manipulations, we have two files:
rootCA.crt: A public key for installation on servers or workstations and also for public distributionrootCA.key: A private key, which should be in secret
Now, we can create certificates for our services and install a root certificate to our workstations.
So, let's create a certificate (for example, for some web service) signed by our CA. This process is pretty simple:
- Generate a key:
openssl genrsa -out web.lab.local.key 2048 - Create the certificate signing request:
openssl req -new -key web.lab.local.key -out web.lab.local.csrHere, it is important to specify the name of the server: domain or IP (in our case,
web.lab.local):Common Name (eg, YOUR name) []: web.lab.local - We should sign a certificate request by our root certificate:
openssl x509 -req -in web.lab.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out web.lab.local.crt -days 365
Now, we can install a root certificate into our servers and workstations. For this, we will need to install the root certificate into trusted host certificate repositories. Some browsers use the default operating system repository. For instance, in Windows, both Internet Explorer and Chrome use the default certificate management. They both take you to the same place, the Windows certificate repository. So, we can open Internet Explorer and go to Internet Options | Content | Certificates. Now, we can install the root CA certificate under the Trusted Root Certificate Authorities tab. However, Windows Firefox has its own certificate repository, so if you use IE or Chrome as well as Firefox, you will have to install the root certificate into both the Windows repository and the Firefox repository.
Note
A good manual about building CAs based on OpenSSL is located at https://jamielinux.com/docs/openssl-certificate-authority/index.html.