Create Your Own Certificate Authority (CA) To Secure https For All YubiKey Servers

Most of what you will read here was derived from the following blog post and uses the openssl command for generating keys, signing requests and certificates.
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

For the implementation of our YubiKey validation servers and key storage modules I followed the following outline.

  1. Create a root Certificate Authority
    • Spontaneously generate a key (.key file) for the root Certificate Authority. A standard key length is 2048 bits and that is what we will use for our CA.
      #> openssl genrsa -out yubikey-val-CA2A.key 2048
    • Generate the root CA certificate (.crt file) using the previously generated key. This root certificate will be "self signed".
      #> openssl req -x509 -new -nodes -key yubikey-val-CA2A.key -days 2000 -out yubikey-val-CA2A.crt
    • Congratulations, you have created your very own root Certificate Authority!
      It is very important to keep this CA's .key file and its contents secure. It will only be needed now for generating the intermediate Certificate Authority which is the next stage.
      Indeed, all .key files should be kept secure at all times.
  2. Create an intermediate Certificate Authority
    • As with the root CA, spontaneously generate a key for the intermediate Certificate Authority. And again use the standard key length of 2048 bits for this CA.
      #> openssl genrsa -out yubikey-val-CA2B.key 2048
    • This time though, use the intermediate CA key to create a certificate signing request (.csr file).
      There will be a number of queries prompted by the signing request, answer them as appropriately as possible. Some options may be even left blank if desired.
      #> openssl req -new -key yubikey-val-CA2B.key -out yubikey-val-CA2B.csr
    • Use the signing request with the root CA certificate and key to create a signed intermediate certificate for the intermediate CA.
      #> openssl x509 -req -in yubikey-val-CA2B.csr -CA yubikey-val-CA2A.crt -CAkey yubikey-val-CA2A.key -CAcreateserial -out yubikey-val-CA2B.crt -days 2000
    • The yubikey-val-CA2B.crt will be exported to and installed on all YubiKey servers and all clients of our YubiKey validation servers.
  3. Generate Certificates and Keys for each YubiKey server from the intermediate Certificate Authority
    • For each YubiKey server which must accept an https connection, spontaneously generate a key for the device. Again, this key will be 2048 bit.
      #> openssl genrsa -out yubikey-val-1.key 2048
    • Use the new device key to create a certificate signing request.
      NOTE: This time, the value for Common Name in a device signing request must be the FQDN of the device for the specific certificate - yubikey-val-1.cscf.uwaterloo.ca in this case.
      #> openssl req -new -key yubikey-val-1.key -out yubikey-val-1.csr
    • Use the device signing request with the intermediate certificate and key to create a signed device certificate.
      #> openssl x509 -req -in yubikey-val-1.csr -CA yubikey-val-CA2B.crt -CAkey yubikey-val-CA2B.key -CAcreateserial -out yubikey-val-1.crt -days 2000
    • The resulting device .key and .crt files will be used to implement https support on the corresponding YubiKey servers.

Repeat step 3 for each YubiKey server which requires https support. In our case this will be all validation servers and key storage modules.

Notes (AdrianPepper) (TWiki does not have Talk Pages).

This completely ignores what other links will say about "creating a CA directory". Instructions appear to work, but might be sufficient only for a one-shot setup only, with everything (including CA certificate) needing to be regenerated after the suggested 2000 days. By work I mean (at least) I generated something Firefox was willing to import as a CA cert. I recall previous times I tried that, Firefox objected to some details of the certificate. Could simply be because of newer versions of openssl.

Instructions also gloss over (even fail to mention) the need to reply to questions/prompts; that can be avoided by using the openssl "-subj" option.

-- ClaytonTucker - 2015-09-02

Topic revision: r3 - 2016-04-20 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback