OpenSSL Certification Authority (CA) on Ubuntu Server

This topic is to discuss the following lesson on NetworkLessons.com:

Hi,
How to create a user certificate instead of server certificate , so that I can use for anyconnect vpn
Thanks

Hi Sims,

On top of my head, the process is the same. You can however, set a passphrase for the client key if you want.

Rene

Hello Rene ,

I understood that any created Certificat wil be signed by Private Key of Root Certificat. when wee use intermediate CA and the root CA is offline how will Intermediate CA access Private Key of Root CA for signing a new generated Certificat ? in this Case the Intermediate will use its own root Certificate that has been signed by root CA Certificate ? but how this will occur ?

second Question : should client has both CA Root Certificate and Server Certificate locally installed to trust the presented Certificate from Web server for example ? or It should only has the Server Certificate installed and when this Server Certificate is presented then It can ask the CA Server if this Certificate is trusted or not ?

Thanks in Advanced .

Hello Mohammad

In the lesson here, the root CA is used to sign certificates. However, in a production network this is not best practice. In order to maintain a hierarchy, and more easily manage certificates, intermediate CAs are used. How do they work?

Well, the root CAs issue intermediate CAs, which can be used to sign certificates. This adds layers of security and helps to minimize problems in the event of an incorrect issuing of a certificate. In such a case, rather than revoking the root certificate, and every certificate issued, you only need to revoke the certificates issued by the intermediate CA.

The root CA signs the intermediate root with its private key, which makes it trusted. Then the CA uses the intermediate certificate’s private key to sign and issue certificates. That’s OK because the root CA has trusted the intermediate CA to do this. You may have several intermediate root CAs that create a certificate change that leads back to the root CA. It may look like this:

Root CA → Intermediate CA 1 → Intermediate CA 2 → Intermediate CA 3 → Certificate

Since trust is established at each step, the certificate is considered valid and can be traced back to the root.

Both scenarios would work, however the second may be somewhat more secure. If it contacts the CA server if this certificate is trusted, it will ensure that it is still currently valid.

I hope this has been helpful!

Laz

Hi,
Can you please give me thorough explanation step by step how to connect my windows 10 to the certificate I created in Linux ubuntu server (Linux ubuntu server is in virtual box). Is that possible?

Hello Petar

In the following lesson, you will see how to create a root CA and then how to generate a certificate for another device.

Once you create that certificate, there’s no special connection between the Ubuntu server and any other device. ALl you have to do is generate the certificate which is a plain text file. Once it is generated, you can simply copy and paste it on your Windows 10 computer.

This of course is not scalable if you want to be able to do this to hundreds of PCs. There are other methods you can choose to import certificates automatically into devices. You can do this using SCEP:
https://sectigo.com/resource-library/scep-simple-certificate-enrollment-protocol

You can also configure a windows server as a CA:

But all of this is leading away from your initial question.

I hope this has been helpful!

Laz

1 Like

With this command you use to sign the server certificate with the CA root.

openssl ca -in some_server.csr -out some_server.pem

I notice it does not specifically ask for what CA to use to sign. I notice in the openssl config file it has this line:

"certificate     = $dir/cacert.pem       # The CA certificate" 

so i imagine the openssl ca command is calling this $dir/cacert.pem to do the signing.

What I am wondering is if you had multiple CA’s on this Ubuntu server. How would you choose which CA you wanted to use for a specific cert signing?

Hi @james.jukich ,

You are right, that’s how it figures out what CA to use. It’s possible to add a second CA in the openssl.cnf file and specify it with the openssl ca command. Here is an example:

https://notes.networklessons.com/openssl-second-ca

Rene