Hero Image

CA server with Easy-RSA

We use the certificate server to create certificates and enable secure connection between all our servers and services. We do not need large resources for CA server. I choose 1Gb RAM, a CPU and 10Gb hard disk but we can run it on 512Mb RAM and 3Gb HD.

sudo virt-install --virt-type kvm --name ca \
  --location \
  https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
  --memory 1024 \
  --vcpus 1 \
  --disk pool=vmdisks,size=10,format=qcow2 \
  --network bridge=br0 \
  --hvm \
  --graphics none \
  --console pty,target_type=serial \
  --extra-args "console=ttyS0"

Configure Debian

Edit nano /etc/network/interfaces and set a static IP address:

source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ens2
iface ens2 inet static

sudo nano /etc/resolv.conf

search yourdomain.com

Set the system language to English to make it easier to find problems in the logs:

apt install locales-all
localectl set-locale LANG=en_US.utf8
localectl status

Update Debian and install the necessary administration tools

apt update
apt install wget sudo screen nmap telnet tcpdump rsync net-tools dnsutils htop \
apt-transport-https vim gnupg lsb-release

Create nano /etc/sudoers.d/10-nopasswd and add


Configure VIM

Open nano /etc/vim/vimrc and replace all its contents with:

runtime! debian.vim
syntax on
set background=dark
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
filetype plugin indent on
set encoding=utf-8
set nobackup
set nowritebackup
set showcmd
set updatetime=300
set showmatch
set ignorecase
set smartcase
set incsearch
set tabstop=2
set softtabstop=2
set shiftwidth=2
set expandtab
if filereadable("/etc/vim/vimrc.local")
  source /etc/vim/vimrc.local

Create users vim config file nano ~/.vimrc and add:

set mouse=
set nocompatible
set cursorline
set nocursorcolumn
set nowrap
set showmode
set hlsearch
set wildmenu
set wildmode=list:longest
set wildignore=*.docx,*.jpg,*.png,*.gif,*.pdf,*.pyc,*.exe,*.flv,*.img,*.xlsx

From now on we will use VIM insteed for nano.

Set Up and Configure a Certificate Authority (CA)

Easy-RSA is a Certificate Authority management tool that you will use to generate a private key and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.

Installing Easy-RSA

Becouse Easy-RSA is just bunch of script and not application I will download and unpack archive:

sudo apt update
sudo apt install easy-rsa

At this point you have everything you need set up and ready to use Easy-RSA. In the next step you will create a Public Key Infrastructure, and then start building your Certificate Authority.

Preparing a Public Key Infrastructure Directory

Non root user should manage and interact with the CA without elevated privileges.

sudo mkdir /srv/easy-rsa
sudo chown -R emir:emir /srv/easy-rsa
sudo chmod 700 /srv/easy-rsa
ln -s /usr/share/easy-rsa/* /srv/easy-rsa/
cd /srv/easy-rsa
./easyrsa clean-all
touch pki/.rand
touch pki/index.txt

Creating a Certificate Authority

Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you will cd into the easy-rsa/pki directory, then you will create and edit the vars file with vim or your preferred text editor:

if [ -z "$EASYRSA_CALLER" ]; then
  echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
  echo "This is no longer necessary and is disallowed. See the section called" >&2
  echo "'How to use this file' near the top comments for more details." >&2
  return 1

set_var EASYRSA_DN  "org"
set_var EASYRSA_REQ_PROVINCE  "Province"
set_var EASYRSA_REQ_CITY  "Citu"
set_var EASYRSA_REQ_ORG "Organisation"
set_var EASYRSA_REQ_EMAIL "administrator@yourdomain.com"
set_var EASYRSA_REQ_OU    "Organisations unit"

set_var EASYRSA_KEY_SIZE  2048
set_var EASYRSA_ALGO    rsa
set_var EASYRSA_CA_EXPIRE 10950
set_var EASYRSA_CRL_DAYS  180
set_var EASYRSA_RAND_SN "yes"
set_var EASYRSA_NS_COMMENT  "Your Organisation Certificate"
set_var EASYRSA_DIGEST    "sha512"

To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option:

./easyrsa build-ca
sudo cp pki/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Using Easy-RSA to generate keypairs & requests

Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This request is what a CA needs in order to generate and return a signed certificate.

Ideally you should never generate entity keypairs for a client or server in a PKI you are using for your CA. It is best to separate this process and generate keypairs only on the systems you plan to use them.

Create server certificate

./easyrsa gen-req dc01 nopass
./easyrsa sign-req server dc01
./easyrsa gen-req dc02 nopass
./easyrsa sign-req server dc02
./easyrsa gen-req mail nopass
./easyrsa sign-req server mail
./easyrsa gen-req srv01 nopass
./easyrsa sign-req server srv01
./easyrsa gen-req srv02 nopass
./easyrsa sign-req server srv02
Check certificate
openssl x509 -in pki/issued/dc01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc01.crt
openssl x509 -in pki/issued/dc02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/dc02.crt
openssl x509 -in pki/issued/mail.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/mail.crt
openssl x509 -in pki/issued/srv01.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv01.crt
openssl x509 -in pki/issued/srv02.crt -text
openssl verify -CAfile pki/ca.crt pki/issued/srv02.crt
Transfer certificates
scp pki/ca.crt pki/issued/dc01.crt pki/private/dc01.key dc01:
scp pki/ca.crt pki/issued/dc02.crt pki/private/dc02.key dc02:
scp pki/ca.crt pki/issued/mail.crt pki/private/mail.key mail:
scp pki/ca.crt pki/issued/srv01.crt pki/private/srv01.key srv01:
scp pki/ca.crt pki/issued/srv02.crt pki/private/srv02.key srv02: