In this first part of how to set up your own CA we will look at what is actually needed. It goes without saying that this whole paper is based on the Linux environment. Specifically we will use Debian 3.01. I chose Linux because it is freely available and stable and the administration in the long run is much more flexible. You can of course use a Windows box to do this but you will be restricted by the options that Microsoft gives you. The box we will use is Bully at my home, however any Linux box will do.

Keep in mind a few things though:

• The machine will have to be up at any given time
• For this machine, once the certificate environment is running, all three security letters apply:

• C: Confidentiality, the data on that machine has to be WELL secured and the private keys need to be kept at a safe place
• I: Integrity, the data on that machine needs to be trustworthy, data integrity will have to be guaranteed at all times
• A: Availability, the data and services on this machine needs to be available at any time. If the machine fails, the data needs to be vilable elsewhere (read: MAKE BACKUPS AT LEAST ONCE A DAY!!!)

• Linux will be installed
• Directory Location
• A secure storage off-site if possible, for the CA key, if you loose it youc an be compromised by whoever finds the key or you might have to re-create all the certificates you issued already and re-issue them.

About the last part, you need to make up your mind where the CA database, issued certificates and revocation list will be located on the file system. This is important because EVERYTHING will revolve around that directory structure. This means for example, don’t put it into /opt/var/something/somethingelse/myowndirectory/someting because it will make it hard to document and it isnt too easy for administrative purposes either in the long run. In my case it will be in /opt/CA.

The ?CIA? issue can be helped with, for example, 2 machines with an identical setup (as in software, hardware doesn’t need to be identical) that synchronize continuously the data. If the primary server fails for whatever reason, all you have to do is bring the other one up with the same IP and TADA! you are done. Of course these machines should run on server hardware (redundant power-supply, ECC memory etc.) HOWEVER this type of hardware can be entry level if your company is not as huge yet (which then you are the right target group for this article) , for up to 200 people this is WAY enough.

So to put it simple you will need the following:

• a dedicated server
• Debian Linux installed with OpenSSL installed (or any *nix flavor that runs OpenSSL but make sure you know where all the utilities are discussed in this paper)
• some idea about using the Linux command line and ssh
• a thought of WHERE on the file system you will put the CA directory structure
• A BACKUP PLAN!!!
• SECURE STORAGE for the CA key!!!

After that follow the instructions and you will have a CA done within short time.

Questions? Comments?

//Flosse

Click here if you want to see the full index and brief of the OpenSSL for eveything “project”

I found pretty good posts about SSL CA here and here but the second one is already on the scripting and technical side where the first one is actually quite elaborate and has a lot of other details.

Popularity: 2% [?]