Linux: Create A Certificate Authority - eliminmax/cncs-journal GitHub Wiki

Linux: Create a Certificate Authority

Meaning of different command prompts Unix/Linux: $: can be run as normal user
Unix/Linux: #: must be run as root (or with sudo)
Windows: >: Command Prompt or PowerShell
Windows: PS>: PowerShell only
Unix/Linux and Windows: $/>,#/>: Works in Windows and Unix/Linux.

Easy-RSA

Rocky Linux 8

Installation/Setup

This was adaped from A DigitalOcean Tutorial

  1. Install Required Software

    • If needed, enable Extended Packages for Enterprise Linux: # dnf install epel-release
    • Install Easy-RSA: # dnf install easy-rsa

  2. Set Up CA - DO NOT RUN AS ROOT

    • create the directory: $ mkdir ~/easy-rsa
    • create symbolic links to the files in /usr/share/easy-rsa/3: $ ln -s /usr/share/easy-rsa/3/* ~/easy-rsa
    • block group/other users from accessing ~/easy-rsa: $ chmod 700 ~/easy-rsa

NOTE: Some tutorials will tell you to copy the Easy-RSA files from /usr/share/easy-rsa/3 to ~/easy-rsa, but symlinking them allows updates to easy-rsa to be reflected immediately.

  1. Set up variables

    • Create a file at ~/easy-rsa/vars, and set the following default values:
set_var EASYRSA_REQ_COUNTRY   ""
set_var EASYRSA_REQ_PROVINCE  ""
set_var EASYRSA_REQ_CITY      ""
set_var EASYRSA_REQ_ORG       ""
set_var EASYRSA_REQ_EMAIL     ""
set_var EASYRSA_REQ_OU        ""
set_var EASYRSA_ALGO          "ec"
set_var EASYRSA_DIGEST        "sha512"

For the EASYRSA_REQ_* values, set them as follows:

variable value
EASYRSA_REQ_COUNTRY 2-letter Country Code
EASYRSA_REQ_PROVINCE Full name of state or province (e.g. California, not CA)
EASYRSA_REQ_CITY Name of the city
EASYRSA_REQ_ORG Name of the organization
EASYRSA_REQ_EMAIL Email address
EASYRSA_REQ_OU Organizational Unit

  1. Build the Certificate Authority

    • from the easy-rsa directory, run $ ./easyrsa build-ca
      • this will require a password to use - if you want to set it up without a password, append nopass to the command

  2. Distribute the Public Certificate

    • The public certificate will be stored in the file ~/easy-rsa/pki/ca.crt.

Signing Certificates

  1. Copy the certificate signing request to the /tmp directory.

  2. From the easy-rsa directory, run $./easyrsa import-req /tmp/for.example.csr for.example

    • The last line will contain the path to the certificate

  3. Copy the signed certificate back to the web server.

Add your Certificate Authority to the system trust

Debian and derivatives:

  1. Copy the root authority to /usr/local/share/ca-certificates/

  2. run # update-ca-certificates

RHEL and derivatives:

Similar to the previous section, but with a different path and command

  1. Copy the root authority to /etc/pki/ca-trust/source/anchors/

  2. run # update-ca-trust

Windows

  1. Download the root certificate, right click it, and click Install Certificate

  2. Save it to Trusted Root Certificate Authorities

Note about Firefox

By default, Firefox ignores the system's Certificate Authorities, and uses its own trust. You can find instructions for adding certificates in the Firefox for Enterprise documentation.

⚠️ **GitHub.com Fallback** ⚠️