hello.pbaumgarten.com

Hosting your own SSL Certificate Authority

selfhosting

#1

Including certificate revocation and intermediate certificate authorities.

You should run these on a linux system. In my configuration, I store these under /CAs/scripts and if you want few errors, you might want to do the same. You do obviously need openssl (sudo apt install openssl on Debian/Ubuntu/etc)

Very important:

  • Remember this generates private keys so you might want to not have the CAs directory available on a public password-less FTP server.
  • You probably should keep a backup of at least your root key and certificate on offline media (dedicated microsd hidden somewhere in your house / safe is a good option)
  • You need to install the root certificate on any computers (both servers and clients) which will see your CA.
  • Run this on a dedicated machine / VM in a preferably air-gapped environment. It’s probably difficult but at least run this on a virtualbox VM or something and disable the machine’s network access and things like forwarded USB devices.
  • You can use the examples at the top of most of these shell files but you probably should change some of these values to your own:
    • change Celati Root CA 1 to something more appropriate for you.
    • change the distinguished name details from CH, Fribourg, Attalens, Celati, Celati Security, admin@celati.com to something good for you.
    • my CRLs distribution point is crl.celati.com. I think it should be pretty obvious you should use your own. If you want to store your CRLs on my server, just contact me but that should really be case-by-case. Change at:
      • line 150 in gen_ca.sh
      • lines 163+174+186 in gen_intermediate_ca.sh
      • lines 116+129 in gen_client_cert.sh
      • lines 141+153 in gen_server_cert.sh
      • line 10 in check_end_cert_valid.sh
      • line 9 in check_intca_valid.sh
    • I do have an OCSP responder path in the certificates despite not yet having time to set one up (it’s surprisingly annoying) but again, change it to something good for you:
      • line 147 in gen_ca.sh
      • lines 175+187 in gen_intermediate_ca.sh
      • lines 117+130 in gen_client_cert.sh
      • lines 142+154 in gen_server_cert.sh

The point of making most of these scripts is automation and to not have to manage a bunch of commands. The scripts also conveniently spit out pfx files for RDP (instructions included when generating server certs) and full chains in both orders because I’ve found some software needs it in reversed order.
If you need any other things added, I’d be happy to edit these scripts because I’m currently using these in production (mostly made this stuff for running TLS interception on a PFsense box). I know OpenSSL can be pretty daunting so that’s also part of why I made this stuff.

Download

Also, if you want a good guide to OpenSSL if you feel like oing manual, this is a very good one: Jamie Linux Openssl


#2

Appreciate the post @pcelati, but to be honest I expect this to be a very niche area. It’s probably also something I would caution students from experimenting with too much if they don’t know what they are doing. If you want to write some encryption/SSL related posts, may I suggest the following would be some helpful topics:

  • what SSL is/does, why it is important/valuable
  • how to include SSL in a programming project (eg adding SSL to socket based comms)
  • how to use ssh, including how to setup opensshd for certificate based remote access instead of logging in with passwords
  • how to use letsencrypt to easily make certificates that are globally recognised & accepted