Intermediary CAs

This recipe shows how to set up an intermediary CA and how to configure OpenVPN to make use of an intermediary CA. The OpenVPN easy-rsa scripts also include functionality to set up an intermediary CA. The advantage of an intermediary CA (or sub CA) is that the top-level CA (also known as the root CA) can be guarded more closely. The intermediary CAs can be distributed to the people responsible for generating the server and client certificates.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux but it can easily be run on Windows or Mac OS.

How to do it...

  1. First, we create the intermediary CA certificate:
    $ cd /etc/openvpn/cookbook/
            $ . ./vars
            $ ./build-inter IntermediateCA
    
  2. Verify that this certificate can indeed act as a Certificate Authority:
            $ openssl x509 -text -noout -in keys/IntermediateCA.crt 
              | grep -C 1 CA
                        X509v3 Basic Constraints:
                            CA:TRUE
                Signature Algorithm: sha1WithRSAEncryption
    
  3. Next, we create a new keys directory for our intermediary CA (the current directory is still /etc/openvpn/cookbook):
            $ mkdir -m 700 -p IntermediateCA/keys
            $ cp [a-z]* IntermediateCA
            $ cd IntermediateCA
    
  4. Edit the vars file in the new directory and change the EASY_RSA line to:
            export EASY_RSA=/etc/openvpn/cookbook/IntermediateCA 
    
  5. Source this new vars file and set up the keys directory:
            $ . ./vars
            $ ./clean-all
            $ cp ../keys/IntermediateCA.crt keys/ca.crt
            $ cp ../keys/IntermediateCA.key keys/ca.key
    
  6. Now we are ready to create our first intermediary certificate:
            $ ./build-key IntermediateClient
    
  7. Verify that the certificate has the new Intermediary CA as its issuer:
            $ openssl x509 -subject -issuer -noout -in  
            keys/IntermediateClient.crt
           subject= /C=US/O=Cookbook 2.4/CN=IntermediateClient
               issuer= /C=US/O=Cookbook 2.4/CN=subCA/emailAddress=...
    
  8. And finally, we verify that the certificate is indeed a valid certificate. In order to do this we need to "stack" the root CA (public) certificate and the intermediary CA certificate into a single file:
            $ cd /etc/openvpn/cookbook
            $ cat keys/ca.crt IntermediateCA/keys/ca.crt > ca+subca.pem
            $ cp IntermediateCA/keys/IntermediateClient.{crt,key} .
            $ openssl verify -CAfile ca+subca.pem IntermediateClient.crt
            IntermediateClient.crt: OK
    

How it works...

The intermediary CA certificate has the "right" to act as a certificate authority, meaning that it can sign new certificates itself. The intermediary CA needs a directory structure for this, which is very similar to the root CA directory structure. First, we set up this directory structure and then we copy over all the necessary files. After that we create a client certificate and verify that it is a valid certificate. In order to perform this validation, the entire certificate chain from the root-level CA to the intermediary CA to the client certificate need to be present. This is why the root CA public certificate and the intermediary CA public certificate are stacked into a single file. This single file is then used to perform the entire certificate chain validation.

There's more...

Certificates that have been issued by an intermediary CA also need to be revoked by the same CA. This means that with multiple CAs you will also have to use multiple CRLs. Fortunately, CRLs can be stacked just like CA certificates: concatenate the files together using the cat command, as will be explained in the next recipe.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.27.141