{"id":15515,"date":"2023-02-26T22:46:23","date_gmt":"2023-02-26T19:46:23","guid":{"rendered":"https:\/\/kifarunix.com\/?p=15515"},"modified":"2024-03-10T08:16:09","modified_gmt":"2024-03-10T05:16:09","slug":"how-to-setup-a-local-ca-server-on-ubuntu","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-setup-a-local-ca-server-on-ubuntu\/","title":{"rendered":"How to Setup a Local CA Server on Ubuntu"},"content":{"rendered":"\n
How do I set up a local certificate authority server on Linux? Well, in this tutorial you will learn how to setup a Local CA Server on Ubuntu. You might want to setup a Local CA server for various reasons including to issue private certificates for your users and applications. This will also see you cut costs on the purchases of public certs required for your local usage, as well as giving you control over the digital certificates you issue for local use.<\/p>\n\n\n\n
Setting up a Local CA Server on Ubuntu<\/h2>\n\n\n\n
In order to setup a local CA (Certificate Authority) server on Linux:<\/p>\n\n\n\n
Install OpenSSL on Ubuntu<\/h3>\n\n\n\n
OpenSSL part of the OpenSSL project’s implementation of the SSL and TLS cryptographic protocols for secure communication over the Internet. It contains the general-purpose command line binary \/usr\/bin\/openssl<\/code><\/strong>, useful for cryptographic operations such as:<\/p>\n\n\n\n
\n
creating RSA, DH, and DSA key parameters;<\/li>\n\n\n\n
creating X.509 certificates, CSRs, and CRLs;<\/li>\n\n\n\n
calculating message digests;<\/li>\n\n\n\n
encrypting and decrypting with ciphers;<\/li>\n\n\n\n
testing SSL\/TLS clients and servers;<\/li>\n\n\n\n
handling S\/MIME signed or encrypted mail.<\/li>\n<\/ul>\n\n\n\n
The OpenSSL command line binary is usually installed on Linux systems by default. You can check if the binary is available by running the command;<\/p>\n\n\n\n
which openssl<\/code><\/pre>\n\n\n\n
It should list the path to binary if the package is installed;<\/p>\n\n\n\n
\/usr\/bin\/openssl<\/code><\/pre>\n\n\n\n
If for some unknown reasons the binary is not available, then you can install it by running the command below;<\/p>\n\n\n\n
sudo apt update<\/code><\/pre>\n\n\n\n
sudo apt install openssl<\/code><\/pre>\n\n\n\n
Create Directories and Configuration files for your CA<\/h3>\n\n\n\n
OpenSSL uses openssl.cnf<\/code> configuration file to define and specify various settings and options when generating digital certificates, private keys, and other cryptographic objects.<\/p>\n\n\n\n
First of all, create a root CA directory to store your CA issued certificates, CA’s private key, certificate requests…<\/p>\n\n\n\n
Open your custom openssl.cnf file and edit the [ CA_default ]<\/strong><\/code>, [ req ]<\/code><\/strong>, [ req_distinguished_name ]<\/code><\/strong> and [ usr_cert ]<\/code><\/strong> sections. See our customized sections below;<\/p>\n\n\n\n
vim \/etc\/ssl\/kifarunixCA\/openssl.cnf<\/code><\/pre>\n\n\n\n
[ ca ]\ndefault_ca = CA_default\n\n[ CA_default ]<\/strong>\n\ndir = \/etc\/ssl\/kifarunixCA<\/strong>\ncerts = $dir\/certs\ncrl_dir = $dir\/crl \ndatabase = $dir\/index.txt\n \nnew_certs_dir = $dir\/newcerts\n\ncertificate = $dir\/cacert.pem\nserial = $dir\/serial\ncrlnumber = $dir\/crlnumber \n \ncrl = $dir\/crl.pem\nprivate_key = $dir\/private\/cakey.pem \n\nx509_extensions = usr_cert \n\nname_opt = ca_default\ncert_opt = ca_default \n\n\n \ndefault_days = 3650 <\/strong> \ndefault_crl_days= 30 \ndefault_md = default\npreserve = no \n\npolicy = policy_match\n\n...\n[ req ]<\/strong>\ndefault_bits = 4096<\/strong>\n\n...\n[ req_distinguished_name ]<\/strong>\ncountryName = Country Name (2 letter code)\ncountryName_default = US\ncountryName_min = 2\ncountryName_max = 2\n\nstateOrProvinceName = State or Province Name (full name)\nstateOrProvinceName_default = California\n\nlocalityName = Locality Name (eg, city)\nlocalityName_default = San Francisco\n\n0.organizationName = Organization Name (eg, company)\n0.organizationName_default = Kifarunix, Inc.\n\norganizationalUnitName = Organizational Unit Name (eg, section)\norganizationalUnitName_default = IT Department\n\ncommonName = Common Name (e.g. server FQDN or YOUR name)\ncommonName_max = 64\n\nemailAddress = Email Address\nemailAddress_max = 64\n...\n[ usr_cert ]\nbasicConstraints=CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer\nsubjectAltName = @alt_names\n[alt_names] \nDNS.1 = *.kifarunix.com<\/strong>\n<\/code><\/pre>\n\n\n\n
We also customized the req_distinguished_name<\/strong><\/code> section to update the default information about our CA entity. You can leave it so you can supply the information manually or via the -subj<\/code> openssl command line option e.g;<\/p>\n\n\n\n
![\"How](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/02\/firefox-import-ca-into-browser-trust-store.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/02\/import-ca-cert-on-chrome.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"How](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/02\/trusted-local-CA-Oracle-Linux-Firefox.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"How](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/02\/import-ca-certificate-windows.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"How](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/02\/trusted-authorities-certs.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"How](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/02\/trusted-cert-windows.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n