JP Vossen on 12 Jun 2019 12:18:56 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Let's talk about certificate authorities


On 6/12/19 11:57 AM, Michael Leone wrote:
Even though we are pretty much a fully Windows shop here, I use an old Linux VM as a certificate authority (and to do a couple other things). And by "old", I mean:

vadmin@admnftp002:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 9.10
Release:        9.10
Codename:       karmic

So here's the problem. That CA is so old, it's still a SHA1 root certificate. So what I need is a newer, shinier CA that uses at least a SHA256 cert. Now, we're talking about less than a dozen certs. And so what I'm thinking is just create a brand new CA (with a slightly different name), and issue new requests from the current clients. Then the new CA can issue them new certs, and the current clients can use the new, SHA256 certs.

Sounds reasonable? And easiest way to accomplish this, rather than the full on, enterprise grade PKI infrastructure tied to AD that Microsoft recommends (and I don't really need).

So: any recommendations? Just get the latest Ubuntu LTS ISO, make a VM, and become a new CA? Use some specific GUI CA software? (trust me, the other guys here seem to think command lines are archaic and obsolete, so I want a GUI, if possible). I see recommendations for DogTag (https://www.dogtagpki.org/wiki/PKI_Main_Page); any others?

These certs are solely for internal systems (SolarWinds monitoring, our Cisco UCP phone system, etc). And all I really need is an easy interface to handle requests and issue new certs, of proper strength.
I agree with Keith but...what about Let's Encrypt? Possibly more trouble than it's worth, but worth at least some research and thought.

Here is some of my cheat sheet for the next time I have to do that same thing. I'm not aware of any GUI stuff, but that's also not what I look for. I'd be interested to hear your thoughts and results. Preso?

First, the best docs I've found on the general topic are: https://jamielinux.com/docs/openssl-certificate-authority/

Also long but good: https://www.feistyduck.com/library/openssl%2dcookbook/online/.

Things to explore:

* https://github.com/jsha/minica (Go Lang)
** minica is a small, simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used.

* Yet another "TLS CA in a can"
** By Filippo Valsorda: Cryptogopher on the Go team at Google.
** http://www.theregister.co.uk/2019/01/09/certs_resh_security/
** https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/
** https://github.com/FiloSottile/mkcert (Go Lang)
*** A simple zero-config tool to make locally trusted development certificates with any names you'd like.

* https://github.com/OpenVPN/easy-rsa

* https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki
** Semi-related: https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment

Good luck,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug