CASetup » History » Version 1
Anonymous, 07/30/2023 04:38 PM
creating page
| 1 | 1 | h1. CA Setup |
|
|---|---|---|---|
| 2 | |||
| 3 | * TODO: copy these instructions inline |
||
| 4 | ** https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-on-ubuntu-22-04 |
||
| 5 | |||
| 6 | h2. Signing Instructions |
||
| 7 | |||
| 8 | h3. On the host machine or desktop |
||
| 9 | |||
| 10 | # Create directory |
||
| 11 | <pre> |
||
| 12 | $ mkdir csr && cd csr |
||
| 13 | </pre> |
||
| 14 | # Create key: |
||
| 15 | <pre> |
||
| 16 | $ openssl genrsa -out opnsense.key 8192 |
||
| 17 | </pre> |
||
| 18 | # Create CSR: |
||
| 19 | <pre> |
||
| 20 | $ openssl req -new -key opnsense.key -out opnsense.req |
||
| 21 | </pre> |
||
| 22 | # Copy CSR to CA VM: |
||
| 23 | <pre> |
||
| 24 | $ scp opnsense.req dsorber@cauth:/tmp/ |
||
| 25 | </pre> |
||
| 26 | |||
| 27 | h3. On CA. |
||
| 28 | |||
| 29 | # Start VM (should have been on already). |
||
| 30 | # Enter easy-rsa directory: |
||
| 31 | <pre> |
||
| 32 | cd ~/easy-rsa |
||
| 33 | </pre> |
||
| 34 | # Import CSR |
||
| 35 | <pre> |
||
| 36 | dsorber@cauth:~/easy-rsa$ ./easyrsa import-req /tmp/opnsense.req opnsense |
||
| 37 | Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) |
||
| 38 | |||
| 39 | The request has been successfully imported with a short name of: opnsense |
||
| 40 | You may now use this name to perform signing operations on this request. |
||
| 41 | |||
| 42 | </pre> |
||
| 43 | # Sign the request: |
||
| 44 | <pre> |
||
| 45 | dsorber@cauth:~/easy-rsa$ ./easyrsa sign-req server opnsense |
||
| 46 | Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) |
||
| 47 | |||
| 48 | |||
| 49 | You are about to sign the following certificate. |
||
| 50 | Please check over the details shown below for accuracy. Note that this request |
||
| 51 | has not been cryptographically verified. Please be sure it came from a trusted |
||
| 52 | source or that you have verified the request checksum with the sender. |
||
| 53 | |||
| 54 | Request subject, to be signed as a server certificate for 825 days: |
||
| 55 | |||
| 56 | subject= |
||
| 57 | countryName = US |
||
| 58 | stateOrProvinceName = Maryland |
||
| 59 | localityName = Derwood |
||
| 60 | organizationName = SorberHome |
||
| 61 | organizationalUnitName = EngineeringDepartment |
||
| 62 | commonName = opnsense.sorber.home |
||
| 63 | |||
| 64 | |||
| 65 | Type the word 'yes' to continue, or any other input to abort. |
||
| 66 | Confirm request details: yes |
||
| 67 | Using configuration from /home/dsorber/easy-rsa/pki/easy-rsa-1713.Noeorx/tmp.1I1wpB |
||
| 68 | Enter pass phrase for /home/dsorber/easy-rsa/pki/private/ca.key: |
||
| 69 | Check that the request matches the signature |
||
| 70 | Signature ok |
||
| 71 | The Subject's Distinguished Name is as follows |
||
| 72 | countryName :PRINTABLE:'US' |
||
| 73 | stateOrProvinceName :ASN.1 12:'Maryland' |
||
| 74 | localityName :ASN.1 12:'Derwood' |
||
| 75 | organizationName :ASN.1 12:'SorberHome' |
||
| 76 | organizationalUnitName:ASN.1 12:'EngineeringDepartment' |
||
| 77 | commonName :ASN.1 12:'opnsense.sorber.home' |
||
| 78 | Certificate is to be certified until Nov 1 20:07:12 2025 GMT (825 days) |
||
| 79 | |||
| 80 | Write out database with 1 new entries |
||
| 81 | Data Base Updated |
||
| 82 | </pre> |
||
| 83 | # Copy certificate request back to host machine: |
||
| 84 | <pre> |
||
| 85 | $ scp /home/dsorber/easy-rsa/pki/issued/opnsense.crt dsorber@enthoo:~/Desktop/csr/ |
||
| 86 | </pre> |