CA server using Debian

Cert Authority (CA) servers can come in handy when it is about creating a trusted infrastructure in your LAN. More often than not certificate replacement and renewal becomes an issue in operations and has to be performed ever so often.

So here is how to setup a CA server for your lab using Debian 11.

First setup the new server, make sure you that it is up to date and that you have a user created. I have one called certadmin that we will use in the example here.

After running the updates and adapted other things like vim installation (for me a requirement) we can get going. If you need to make adjustments you can find some suggestions here.

First steps

In our case we use easy-rsa. From the shell of certadmin run the following command: “sudo apt install easy-rsa -y

then create a folder easy-rsa in your home folder

Now link the folder to where easy-rsa is installed by running the following command: “ln -s /usr/share/easy-rsa/* ~/easy-rsa/“. Linked names are used to map folders to other locations, for example here, as you can see the folder is empty now:

ls
easy-rsa
certadmin@ca01:~$ ls easy-rsa/
certadmin@ca01:~$

After the symbolic link is created you see the folder contains more items. This means we don’t need to change to /usr/share/easy-rsa/ every time we need to do something. We have the folder available in our home folder.

ln -s /usr/share/easy-rsa/* ~/easy-rsa/
ls
easy-rsa
ls easy-rsa/
easyrsa openssl-easyrsa.cnf vars.example x509-types

Now to restrict the folder a it we need to change mode so run the following command: “chmod 700 /home/certadmin/easy-rsa“. This means that only the owner has access to the folder.

Next change into the “easy-rsa” and run the following command to start the initialisation of the Public Key Infrastructure (PKI): “./easyrsa init-pki

This will give you an output like this:

./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/certadmin/easy-rsa/pki

 

Step 2 – Creating the CA

First we need to create a file called vars. This file contains the various information we want to have in the CA as default answers, so in the “~/easy-rsa” folder run “vi vars” and add the following to the file:

set_var EASYRSA_REQ_COUNTRY "CH"
set_var EASYRSA_REQ_PROVINCE "ZH"
set_var EASYRSA_REQ_CITY "Zurich"
set_var EASYRSA_REQ_ORG "TestLab"
set_var EASYRSA_REQ_EMAIL "admin@example.com"
set_var EASYRSA_REQ_OU "Community"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"

Now it is time to build the CA and this is done by executing the following command: “./easyrsa build-ca“. This will generate a request for you enter a (secure) passphrase and re-enter it and then you can name the CA or hit enter to accept “Easy-RSA CA” as a name. The output should look something like this:

./easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................+++++
....................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/certadmin/easy-rsa/pki/ca.crt

Running the command above with the nopass  switch would mean you don’t get prompted for a password every time like this: “./easyrsa build-ca nopass

We now have two files that are important to us in the folder:

ca.crt – which is the public certificate file. This will be used by people to confirm the organisation they belong to. The file is located in the folder /easy-rsa/pki/.

The second file is the ca.key. This file is in the /easy-rsa/pki/private folder. This is the private key that the CA uses to sign certificates. This file must be kept secret at all times. If it is compromised you need to destroy and re-create your CA.

This means we have the CA in place and ready to be used to issue and revoke certificates.

Next it is time for the demonstrations on how to use the CA.