Lab 10 CA - LosephCawtonJurtis/SEC-350 GitHub Wiki

move the adapter to the lan network in vsphere

create a new user

adduser *username*

usermod -aG wheel *username*

passwd *username*

enter nmtui

static ip of 172.16.150.12/24 on the lan network

when exiting make sure to set the hostname to ca01-joseph

cd /etc/pki/tls/misc

./CA -newca

the answers after setting a password to the prompts are as follows

up next is creating certificate signing request from web 01

first update fw01 to allow LAN to DMZ tcp traffic over port 22

action accept, destination port 22, protocol tcp

then

the information here will all be the same as earlier except that your common name will be the hostname of this machine

this involves moving the parts we've already created back and fourth through the systems

first we pull the web01.csr

from with in a new admin powershell window

scp [email protected]:/home/joseph/web01.csr . <<< do not forget the period, I don't know why it's there either

then send it to the CA

scp web01.csr [email protected]: <<< do not forget the colon

now the web01.csr should be in your home/user directory on CA just cp it from there to /etc/pki/CA/newcerts directory

cp web01.csr /etc/pki/CA/newcerts/web01.csr

now sign it from ca as directed below

copy the cert file to the home directory and then convert it(for a reason) while in the home directory like this

openssl x509 -in web01.cert -out web01.cert

now back in mgmt retrieve the cert

scp [email protected]:/home/joseph/web01.cert . <<< again stress on the period

then push it back to web01

scp web01.cert [email protected]: <<< one more time, colon

next go back into ca01 and change directories to the one containing the cacert.pem file

cd /etc/pki/CA

convert and copy it to the home directory in one step

openssl x509 -in cacert.pem -out /home/joseph/cacert.pub

back on mgmt01

scp [email protected]:/home/harry/cacert.pub .

then move it to web01

scp cacert.pub [email protected]: << do not for get the semicolon