Setting Up a Certificate Authority on Ubuntu

This guide is an update to the previous “BUILDING A ROOT CA AND AN INTERMEDIATE CA USING OPENSSL AND DEBIAN STRETCH“. In this guide, we’ll walk you through setting up a Certificate Authority (CA) on Ubuntu. This will include creating a Root CA, an Intermediate CA, and generating certificates for your server. Please be aware that this setup is intended for educational purposes and not suitable for production environments.

Prerequisites

Before we begin, ensure you have a fresh Ubuntu installation. There’s no need for a graphical user interface; command-line access is sufficient. Additionally, you may want to install OpenSSH for remote administration and NTP for accurate timekeeping:

$ sudo apt update 
$ sudo apt upgrade 
$ sudo apt install openssh-server 
$ sudo dpkg-reconfigure tzdata # Set your timezone 
$ sudo apt install ntp # Optional for time synchronization

Getting the Configuration Files

Download the following configuration files and remove the “.txt” extension after downloading:

• openssl_root.cnf
• openssl_intermediate.cnf
• openssl_csr_san.cnf

Setting Up the Root CA

Root CA Directory Structure:

Create the necessary directories for the Root CA:

$ sudo mkdir /root/ca 
$ sudo mkdir /root/ca/newcerts /root/ca/certs /root/ca/crl /root/ca/private /root/ca/requests

Initializing Files:

Initialize essential files:

$ sudo touch /root/ca/index.txt /root/ca/index.txt.attr $ sudo echo '1000' > /root/ca/serial

Edit Configuration: Copy openssl_root.cnf to /root/ca and customize it according to your requirements.

Generate the Root Key:

Create the Root private key (remember to replace “DOMAINNAME” with your desired domain):

$ sudo openssl genpkey -algorithm RSA -aes256 -out /root/ca/private/ca.DOMAINNAME.key.pem -aes256 -algorithm RSA -aes256 -out /root/ca/private/ca.DOMAINNAME.key.pem 4096

Sign the Root Certificate:

Sign the Root Certificate with the Root private key:

$ sudo openssl req -config /root/ca/openssl_root.cnf -key /root/ca/private/ca.DOMAINNAME.key.pem -new -x509 -sha512 -extensions v3_ca -out /root/ca/certs/ca.DOMAINNAME.crt.pem -days 3650 -set_serial 0

Creating an Intermediate CA

Intermediate CA Structure:

Set up directories for the Intermediate CA:

$ sudo mkdir /root/ca/intermediate
$ sudo mkdir /root/ca/intermediate/newcerts /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/private

Initializing Files (Again):

Initialize index and serial files:

$ sudo touch /root/ca/intermediate/index.txt /root/ca/intermediate/index.txt.attr sudo echo '1000' > /root/ca/intermediate/crlnumber sudo echo '1234' > /root/ca/intermediate/serial

Edit Intermediate Configuration:

Copy openssl_intermediate.cnf to /root/ca/intermediate and tailor it to your needs.

Generate Intermediate Key and CSR:

Create the private key and CSR for the Intermediate

$ sudo openssl req -config /root/ca/intermediate/openssl_intermediate.cnf -keyout /root/ca/intermediate/private/int.DOMAINNAME.key.pem -newkey rsa:4096 -nodes -out /root/ca/intermediate/csr/int.DOMAINNAME.csr

Sign the Intermediate Certificate:

Sign the Intermediate CA certificate with the Root CA:

$ sudo openssl ca -config /root/ca/openssl_root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha512 -in /root/ca/intermediate/csr/int.DOMAINNAME.csr -out /root/ca/intermediate/certs/int.DOMAINNAME.crt.pem

Generating Server Certificates

Copy Configuration for Server Certificates:

Copy openssl_csr_san.cnf into /root/ca/intermediate. Customize the [alt_names] section to match your server’s DNS entries.

Generate Key and CSR for the Server:

Generate the key and CSR for your server, replacing “www.example.com” with your server’s FQDN:

$ sudo openssl req -out /root/ca/intermediate/csr/www.example.com.csr.pem -newkey rsa:2048 -nodes -keyout /root/ca/intermediate/private/www.example.com.key.pem -config /root/ca/intermediate/openssl_csr_san.cnf

Create the Server Certificate:

Sign the server certificate (replace “www.example.com” with your server’s FQDN):

$ sudo openssl ca -config /root/ca/intermediate/openssl_intermediate.cnf -extensions server_cert -days 3750 -notext -md sha512 -in /root/ca/intermediate/csr/www.example.com.csr.pem -out /root/ca/intermediate/certs/www.example.com.crt.pem

Creating a Combined Certificate for Apache

Combined Certificate for Apache:

To prepare a combined certificate suitable for Apache, execute the following commands (again, replace “www.example.com” with your server’s FQDN):

$ sudo openssl pkcs12 -inkey /root/ca/intermediate/private/www.example.com.key.pem -in /root/ca/intermediate/certs/www.example.com.crt.pem -export -out /root/ca/intermediate/certs/www.example.com.combined.pfx sudo openssl pkcs12 -in /root/ca/intermediate/certs/www.example.com.combined.pfx -nodes -out /root/ca/intermediate/certs/www.example.com.combined.crt

There you have it! You’ve successfully set up a Root CA, an Intermediate CA, and created server certificates, including a combined certificate ready for use with Apache on your Ubuntu system. Remember to replace “www.example.com” and “DOMAINNAME” with your specific values as needed throughout the process.