Certificate Authority: Difference between revisions

From ConShell
Jump to navigation Jump to search
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
So you want to run a '''Certificate Authority'''?
==Introduction==


So you want to run a '''Certificate Authority''' to manage your '''P'''ublic '''K'''ey '''I'''nfrastructure (PKI)?
Mostly that just means a way to generate and sign certificate signing requests (CSR).
Here are some tips that may help get you going.
Here are some tips that may help get you going.


== Choices ==
First, you'll need to choose what software package you will use to manage all this.
First, you'll need to choose what software package you will use to manage all this.
Here are a few that come to mind...
Here are a few choices...
* [[Xca]]
* [[Xca]]
* [[OpenSSL Usage tips|OpenSSL]]
* [[OpenSSL Usage tips|OpenSSL]]
* [[Easy-rsa]]
* [[Easy-rsa]]
* tinyca
* [http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html certutil]
* openca
* [http://tinyca.sm-zone.net/ tinyca]
* Microsoft certificate services
* [http://www.openca.org/ OpenCA]
* [http://www.newpki.org/ NewPKI]
* [http://www.ejbca.org EJBCA]
* [http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx Microsoft PKI certificate services]
* SUSE has [http://www.linuxtopia.org/online_books/suse_linux_guides/SLES10/suse_enterprise_linux_server_installation_admin/sec_yast_ca_module.html CA management] built into their Yast2 utility
* SUSE has [http://www.linuxtopia.org/online_books/suse_linux_guides/SLES10/suse_enterprise_linux_server_installation_admin/sec_yast_ca_module.html CA management] built into their Yast2 utility
* [[Red Hat]] also has something whose name I don't recall, probably RHCS
* [[Red Hat]] also has something whose name I don't recall, probably RHCS
Line 16: Line 23:
As for myself, I choose [[Xca]] almost always because it is easy to work with and supports a wide-range of functionality. It does have drawbacks, namely that it does not provide self-service fulfillment like some of the heftier certificate authorities. There is no support for LDAP and a fancy web interface.
As for myself, I choose [[Xca]] almost always because it is easy to work with and supports a wide-range of functionality. It does have drawbacks, namely that it does not provide self-service fulfillment like some of the heftier certificate authorities. There is no support for LDAP and a fancy web interface.


Tips on creating the CA, some learned the hard way.
== Create the CA ==
Here are some tips on creating the CA, some [http://sourceforge.net/tracker/index.php?func=detail&aid=1751397&group_id=62274&atid=500025 learned the hard way].


1. Choose SHA1 digest algorithm. MD5 is deprecated and SHA256 is not widely supported.
1. Choose SHA1 digest algorithm. MD5 is deprecated and SHA256 is not widely supported.
Line 40: Line 48:
7. Setup a shared "escrow" folder where users can drop their certificate requests (CSR) and you (the signer) can put the signed certificates for pickup.
7. Setup a shared "escrow" folder where users can drop their certificate requests (CSR) and you (the signer) can put the signed certificates for pickup.


==Steps to create a certificate authority in Xca==
8. Decide in advance whether you plan to support '''revocation lists'''. These can take the form of a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP). Not all applications support these things, so don't sweat this much... but if you do choose it, you'll want to indicate the URL of either the CRL or OSCP in your CA certificate I believe (or it may be in the signed certificates instead).


===Steps to create a certificate authority in Xca===
Here are the steps I use to create a CA in Xca.
# Start Xca
# Start Xca
# create a new database
# create a new database
Line 64: Line 74:
# save xyzca1.crt on your filesystem. This can be put on the company website for distribution.
# save xyzca1.crt on your filesystem. This can be put on the company website for distribution.


== Related ==
* [http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
* [http://www.cacert.org/ CAcert] offers free certs, so if you don't want to run your own CA give them a try.


--[[User:Fostermarkd|fostermarkd]] 10:59, 5 September 2008 (PDT)
--[[User:Fostermarkd|fostermarkd]] 10:59, 5 September 2008 (PDT)

Latest revision as of 03:17, 8 January 2009

Introduction

So you want to run a Certificate Authority to manage your Public Key Infrastructure (PKI)?

Mostly that just means a way to generate and sign certificate signing requests (CSR). Here are some tips that may help get you going.

Choices

First, you'll need to choose what software package you will use to manage all this. Here are a few choices...

As for myself, I choose Xca almost always because it is easy to work with and supports a wide-range of functionality. It does have drawbacks, namely that it does not provide self-service fulfillment like some of the heftier certificate authorities. There is no support for LDAP and a fancy web interface.

Create the CA

Here are some tips on creating the CA, some learned the hard way.

1. Choose SHA1 digest algorithm. MD5 is deprecated and SHA256 is not widely supported.

2. Specify good descriptions for Organization Name, Organizational Unit Name and Common Name. Example...

  • organzationName: Company Name, LLC.
  • organizationalUnitName: Company Name Certificate Services
  • commonName: Company Name Certificate Authority #N

Here is how it will look when branded into the certificate.

issuer=/O=CompanyName, LLC./OU=CompanyName Certificate Services/CN=CompanyName Certificate Authority #3

which leads me to...

3. Assign numbers to your CA certificates, starting with 1. This can be the same as the serial # if you want, it doesn't matter. Put the # in your commonName so it will "pop" when seen in customers/clients certificate store. It will also help simplify things when troubleshooting who a given Issuer was.

4. Choose a strong key for the CA - 2048 bits at least

5. Choose a nice, long validity term, 10 years at least, or 15 or 20.

6. If you are brave, choose to implement an intermediate CA scheme. This let's you delegate signing authority to other groups or divisions in your enterprise, all leading back to a single central trusted CA. However this invites operational complexity as the use of chaining is required by the users of certificates issued by the intermediary CA.

7. Setup a shared "escrow" folder where users can drop their certificate requests (CSR) and you (the signer) can put the signed certificates for pickup.

8. Decide in advance whether you plan to support revocation lists. These can take the form of a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP). Not all applications support these things, so don't sweat this much... but if you do choose it, you'll want to indicate the URL of either the CRL or OSCP in your CA certificate I believe (or it may be in the signed certificates instead).

Steps to create a certificate authority in Xca

Here are the steps I use to create a CA in Xca.

  1. Start Xca
  2. create a new database
  3. click on "Certificates" tab
  4. click on "New Certificate" button
  5. Create a self signed certificate with the serial 1 (or whatever # this ca is)
  6. choose SHA1 as signature algorithm
  7. choose [default] CA template and click "Apply" button
  8. click on "Subject" tab
  9. specify Internal name: xyzca1
  10. specify Organisation: Company Name
  11. specify Organ. unit: Company Name Certificate Services
  12. specify Common name: Company Name Certificate Authority #1
  13. click "Generate a new key" button
  14. specify Name: xyzca1
  15. specify Keysize: 2048 bit
  16. click "Create" button
  17. the new key will be automatically chosen as the Private key
  18. click "OK" button and the certificate is created
  19. click on Certificates tab
  20. right-click on the new CA certificate labeled xyzca1, choose Export
  21. save xyzca1.crt on your filesystem. This can be put on the company website for distribution.

Related

--fostermarkd 10:59, 5 September 2008 (PDT)