CA Server - OpenSSL

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

whenever you connect to a computer on a private network through a web interface chances are the web browser you're using is complaining that the connection's not secure now that's not surprising really because the certificate of identity that the service presenting is actually a self-signed certificate in other words it's a certificate that the server itself actually sent now the problem is the web browser is only going to be trusting certificates that have been signed by a trusted authority so these are certificate authorities out there on the public internet and they don't know anything about your private network so it stands to reason that your web browser is not going to trust these internal servers now you could actually just ignore the warning i mean web browsers still do that at the moment the only problem is it's a bit of a bad habit to actually adopt because what you're going to run into is the potential that you could end up with a man in the middle attack and you may not specifically notice it because yes you're just going to ignore the warning but you're going to still get this other error message up at the top still seeing that the connection is not secure in other words the actual certificate's not valid what you really want to be seeing on your web browser is a secure connection the connection that your web browser actually does trust server delivering the link and the problem is well if you're just accepting this private certificate and you're always accepting this situation where you've actually got an untrusted certificate you may not actually know when something goes wrong on the other hand if you always have an actual secure connection you're going to notice pretty soon enough when something does actually go wrong now there are different ways in which you can actually deal with this but one of those is to actually create your own certificate authority now that's something you're interested in learning and stick around and watch this video because that's what we'll be going over [Music] now to make life easier i'm putting a timeline for this video i'm thinking of the now in the sense that not everybody wants to know everything there'll be cert sections maybe people are sticky on certain parts of the actual implementation and in which case it's useful to have that timeline but i'm also thinking ahead in the sense that it's highly unlikely unless you're working for a big organization that you're going to be creating certificates on a daily basis so chances are you might want to keep coming back to the video just specifically for that section about how to actually create a certificate how do i sign a certificate and so on in which case it's useful to have those individual sections so hopefully that does help so this is the problem that i was referring to in the intro where we've actually got a warning message on our web browser so i'm actually connected into the vmware esxi hypervisor now it is an actual secure connection the sensor the actual connection is encrypted because if i dig a bit deeper it's saying https but you can see that's been struck out and it's actually giving us a warning message so this server's got a self-sane certificate and we've just basically ignored the warning because that's all you're doing um the web browser is not just okay fair enough we'll accept it's genuine it's not it's just basically ignoring the fact that there was a warning there in the first place because it's that's your choice you're just saying okay accept that there's a there's an issue here and i'm going to accept it but it's still going to warn you that the connection is not secure so even if i am genuinely connected to the server esxi.10 and even if the connection between my computer and this server is actually being encrypted from the web browser's perspective it can't guarantee that it cannot guarantee that this server is what it says it is because it can't trust the certificate uh when the web browser gets supplied in the operating system and through a series of updates it's got basically a list of certificate authorities out there on the internet that it trusts and the certificate that came from this specific server isn't on that list of trusted authorities so for that reason it doesn't trust the certificate in which case it cannot guarantee to me that this server is genuinely the server it says it is now from my perspective i'm you know i'm 100 certain i am connected to that actual server but the problem is from the web browser's point of view well it doesn't know it cannot guarantee that and that's why it's going to continue to warn me that this is not secure now on the public internet this is something you'd never want to see because there's always the potential that the actual connections being intercepted and if you're putting in using you know details like a username and a password there's always the potential you are connecting to a server isn't genuine or your connection's been intercepted so your traffic is going from your computer to some other computer which is then reeling it on to the genuine server and you would actually see something like that as a result so this for that reason is a very bad habit to actually get into because what you really want to be seeing here is a padlock you want to see this as a genuine trusted connection that way if something were to go wrong uh whether it's a man-in-the-middle attack if it's a case of the service being kicked off the network and someone's put their own in all of a sudden that padlock will disappear and you'll see this warning up here saying this is not a secure connection and that's what you need to be vigilant about especially on the public network but for that same reason i find it's better to get into that same habit within your own internal network because this to me is a bad habit even on your own network if you're going to keep accepting these if something were to get compromised and you're just casually accepting these warnings all the time you don't know if something's actually gone wrong so it's better that we actually do have a genuine connection one that is trusted by the web browser and you and so for that reason you want a certificate authority i mean unless you're actually on the actual public network so for example if you're on the internet you've got your own public domain and so on you can actually get certificates for your internal network but you have to have a public presence now i don't expose my internal computers out to the public internet that that to me is just a very very bad security practice there's no genuine reason for me to actually present any of my computers to the internet so for that reason i can't go down this path of getting a certificate from a public certificate authority that the web browser already actually accepts what i'm going to do is to create my own certificate authority there are different ways to do that you could for example use a nas there's quite a few of them out there that actually give you that option to run a certificate authority on the nas my only concern is given what's happened over the years where some of these have actually been um hacked if you will uh and they've ended up where somebody's ended up with ransomware problems and all sorts i don't want to go down that risk because if the nas gets intercepted next thing i know they've got access to the actual certificate authority it's similar with the actual firewall for example there are firewalls out there that offer multiple services but i prefer to have a firewall that is just a firewall if the firewall isn't actually presenting a service then it doesn't actually accept traffic directly to itself it's it's just effectively a relay there to just uh to manage the traffic going in and out of the network but it itself can't be an actual target for a service so in which case it reduces the attack vector on your firewall so for that reason i'd like to have everything separated out uh somewhere down the line i'll be getting into containers and so on but for now i want individual computers doing their own individual thing so if one computer gets compromised i don't have this knock-on effect and where all of a sudden there is more services that i'm running are at risk so the plan is we're going to be using urban ssl so that's a basic it's an application used for signing certificates you can set up to to actually sign certificates as a certificate authority so that's going to be our strategy now rather than just jump straight into any implementation i thought i'd give you a bit of a background on how this whole certificate process works so typically out of the box you've got an operating system running on your computer which trusts certificate authority servers that are out there on the internet so the idea is any certificate that's been signed by one of these computers your computer trusts the only thing is you've also got web browsers on your computer they've got a separate store so it's a case of those web browsers they trust certain certificate authority servers out there on the public internet now when it comes to internal certificate authority service that's something you've got to bear in mind because if you want to connect to a computer on your network with your web browser it's the web browser you need to update if you update the operating system it's not going to have any impact or benefit for your web browser so it's just something to bear in mind but anyway the way this all works is out of the box that's what you're trusting certain certificate authority service so for example let's say we've got a root certificate server out there on the internet that we trust so like this one here let's say we create a certificate request for our firewall and we get it signed by this root certificate authority server that's actual certificate's been signed by trusted authority a server that our computer or what specifically our web browser trusts so when we connect to this web browser it's going to present a certificate that's been signed by this root certificate authority which we trust in which case the web browser is going to tell us it's a secure connection now that's not really practical so for that reason it typically will hand off the responsibility of signing certificates uh to actual third parties so you have a an extra tree branch if you will this is the route right at the start then you've got all these these branches coming out for sub-certificate authorities or intermediary certificate authorities so typically third parties so the idea is a sub-certificate authority server generates a certificate request which is signed by the root certificate authority so this server then has its own same certificate our firewall for example will generate its certificate request but instead of getting it signed by the root server it gets signed by the sub server now it then has a signed certificate which has been signed by an intermediary our computer is trusting the root door so we have to set up what is called chain of trust so for that reason what happens is the actual firewall here for instance it presents its own certificates being signed by the sub-server but it also presents the actual certificate belonging to the sub server so this is the intermediate certificate and then that gives us our trust chain if you will because our computer trusts this root server so what it sees is a certificate that's been provided by this firewall ensures that it's been signed by this server it then sees a certificate coming from the firewall that's been well belongs to the server here and that's been signed by this server because our computer trusts this server it then trusts this server and so interests this server so that's our certificate chain if you will but it's something to bear in mind is you can't just you know take a certificate from this server put it on your computer and then start getting certificates signed by that sub server it's not going to work because your computer knows nothing about this server until you tell about it tell it so it's an extra step but that's typically the process in which it works whenever you go to a third party typically not one of the big majors like root certificate authorities out there typically they'll give you the actual certificate for your computer plus their own server certificate which is backed up by a root certificate so that's the reason why you sometimes get more than just one certificate to present but it's a fairly straightforward process but it all hinges on this one specific server being trusted so something to bear in mind you've got to guard the private key on this thing with your life basically because if this thing gets compromised it's pretty much given especially if it's on the public internet the chances of getting out of that would be pretty much non-existent there's going to be so many servers out there and it's yeah it's just going to be a big mess so they're going to be really really careful as to you so not surprisingly the model does work and it's a case of well pretty much even an internal network whether it's a private network a company network a home network whatever it is that model tends to be replicated so you build a root certificate server and then you build a sub-certificate server and then off you go with your chain of certificates but there's a bit of a flying joint now while you can still follow this same model of having a root certificate server and a sub-certificate server personally i just don't see the benefit to it anymore especially on a network like this scale i mean if you're on a you know small network a private network whether it's a home network a lab or a company network i just don't personally see any benefit to anymore and the reason being well it's twofold if we go back to when this whole kind of started really the idea was this would be a physical computer so don't be built in complete isolation would never be connected to the network meaning it'd be highly unlikely that you could ever compromise it during the build process so nobody would be able to get access to the key uh you'd normally be using cds to basically keep a copy of the actual private key when it came to actually signing the certificate for this server put it onto a cd pass this server sign it pass the same certificate back to that key through a cd stay away from usb drives because they're going to be infected with malware through their firmware for example but it's very very secure doing it that way and then once you've got your actual subsea is server up and running you then actually archive this server so it wasn't present on the network during its build and it's nowhere to be seen during day to day operation i mean the ghetto keys somewhere on a cd and a safety plus box somewhere there's probably a copy of two copies of it for safety but this server never comes back unless you have to build more service for example typically that would have something like an expiry of 20 years for example this has got an expiry of maybe 20 of 10 years for example the servers have got an expiry of maybe one year but it's highly unlikely you'd ever see this server come back so it made a lot of sense back then but now we're into virtualization which kind of changes the security a bit so for that reason when i do build a root certificate server i've got to be a bit careful i'm still going to build a virtual machine what i could do for example is i could build this server without a network card install the operating system i could install ufw which is the software firewall and then i can bring it into the network so that way it's safe i do need to put it on the network in order to transfer you know certificates backwards and forwards between these two but that's pretty much about it so i could still archive that one i could still do it that way but i now call into question why we even want this anymore because something else has changed and that's to do with certificate revocation now another good feature that came with this model was certificate revocation so that is where we actually revoke certificates that are no longer valid now normally what happens is the server here for example signs a certificate from the firewall and it's got an expiry date out firewall it hands it over the client and it's up with the client to actually check is that certificate still valid in other words has the expiry date passed if it hasn't then it's still valid in which case we still carry on with the connection now the only thing is is that if this computer gets compromised then somebody else can actually present that same certificate and key uh on the other hand it might be a case of maybe this computer just needs decommissioning either way we actually want to revoke that certificate from being used anymore so what we had still after that matter are certificate revocation lists now the idea there is that on our computer here our sub cs server we actually revoke a certificate so for example this one we've signed this certificate but now i've decided that certificate's no longer valid so we tell open ssl to revoke the certificate and it creates or appends onto a list of remote certificates that it's got assigned certificates that get created contain details telling the web browser in this case where to go and check for revoked certificates so what the computer does it's actually a two-step process really it's checking if the certificate is actually um still valid as far as expiry goes but it's also going off and checking this revocation list to see if the certificate has been revoked now if it's not on the list it's still valid so carry on with the connection on the other hand if it's in the list it's being revoked in which case it's no longer a vat certificate and it's going to warn you of such so that made a lot of sense but the problem is things have actually changed since then and what i'm finding in particular is that these vendors said the browsers in particular they just don't pay any attention to certificate revocation anymore uh out of books at least they don't so the problem i've got is there's different methods you can introduce for this and crl certificate revocation lists a good ocsp online certificate status protocol and there's also a an extra element to that which is all csp stabling but either way out of the box these browsers they're just not interested so even if i introduced something like that into the network the problem is the browser is just going to ignore it now i've got browsers like firefox and you've also got google chrome for example which will allow you to add that feature back in again except what i'm finding is that the brave browser i use and i prefer doesn't let me do that there isn't a little tick box anywhere that i've found tell me to still carry on you know doing on an actual certificate revolution checks so the problem is is that even if i introduce that system the web browser is just going to so it kind of seems pointless and another challenge that was thrown up against these systems is the fact that what the web browser does is it actually fails open when it comes to that that step in the process i mean aside from the fact that actually takes longer and it might take as long as you know quite a while i can't remember the exact time but it was going to take quite a while for your computer to actually go off and check if a certificate's been revoked especially if the list gets longer and longer and longer problem you've got is the the web browser if it's going to fail open all it needs is the hacker to block your access to the actual um certificate authority or the ocsp responder or whatever and your browser is going to find that well i can't actually go and check if the certificate's been revoked eventually it'll time out and it'll just carry on as if the certificate was valid so there are ways around it so it seems kind of pointless now which kind of makes sense as to why the vendors have just given up on it basically so you can implement it if you want but to me because of that web browser i'm using it's just not interesting and on the scale of things for me it kind of makes it pointless to have this subcertification authority server because that was that was part of the um incentive because if this server was offline nobody could get access to the actual private key so if this server compromised i could bring this one back revoke the certificate for this one build new server and then off we go creating new certificates for our servers but it's like it seems a bit of a headache to do that and to me it seems easy to just forget about the sub-certificate server and just stick with one root certificate server the idea then is if this certificate server does get compromised in some way what i'll do is i'll just remove the trust in that specific certificate on that machine because at the moment i've just got one computer that's having to manage all these computers all i've got to do is take away that certificate on that specific server build a completely new root certificate authority and then just go back through the whole process either way i would have had to i would have to build a completely new sub-certificate server anyway and rather bring this server back into life so that extra process seems too much um to be justified in doing that sort of thing even on a small company network um and if you've got you know 10 people maybe it's a case of you just got to go to 10 computers and update or even one job server for example and get the browser for every individual user updated you're still going to have to update all those server certificates no matter what so it's yeah i just don't see much point for it now it was good idea of the time but i think it's i think it's had its days really so for that reason my strategy is i just want to build that one route certificate server so the plan is we'll spin this computer up i'm putting it in the build server to keep it isolated i mean i've got an apache server down here it's not that's not going to be present on the network at the time you build this so i can still make this um secure once it's ready to go then we can bring this one in into play because i want to do some testing i just want to demonstrate how the certificates work uh the idea is i've i've got access from this specific machine into this network so i'll be able to get access to that computer uh through its web browser and get access to that computer through ssh so that way i can do my copying and pasting like create my certificates and so on and we can actually test that our certificates are working that we've got that trust in place and that just makes it easy because what i'll do later down the line i mean this this is just a one-off server i'll remove it once i've finished with it but the plan then is for me longer term as i'll actually move this server over to the management network it doesn't necessarily need to be on see like the infrastructure network there's nothing needs direct access to that server other than my management server so i don't see any point of putting it out here if this server is the only one that's going to connect to it anywhere and it seems kind of pointless to me so it seems a lot more secure putting that server into here it's nothing's allowed access into the management network um so yeah that seems the safest strategy now somewhere if i do get a means to automate that and put us like a uh a web-based front end on it where we can automate the process of getting servers to actually automate their own certificate and uh signing and so on they would need access to that certificate server in which case it would then would make sense to put it into that infrastructure network but for now i'm just going to basically do it all manually on that one server which case for me it makes sense to just put it there so first thing we need to do is build our root certificate server now i'm not going to go through the actual install process because all we're going to be doing is installing a bundle onto an actual virtual machine um so it's pretty straightforward especially when it comes to something like esxi we just got to tell it what the guest os is make sure we point to an iso image to boot from in terms of the hardware spec not a great deal one processor one gig of memory i've given it 16 gig of fab disk storage that's just for the sake of 16 gig tends to be typical for even sd cards these days i mean if nothing provision it as well it's going to be taking up even less disk space as well so it's not really that big of a deal one thing i will point out is that i've got this attached to a dedicated switch for this build network so the only device that's got access to this is the apache virtual machine but the actual firewall as well has also got a leg in this network uh the reason i went for a separate switch is just that doesn't it reduces the risk of me actually having another virtual machine that accidentally gets connected to this build network for example i mean it is possible but it's unlikely at least while i'm building it and once i'm finished with it i'll put it under the management network anyways it's not that big of a deal but it just gives me that extra security and protection if you will from other virtual machines ever being able to touch this while we're building it so we'll then go through the install process which again i'll normally cover because it's pretty straightforward but when it comes up with the option of building the actual drive it'll actually ask you if you want to enable encryption and i would recommend you do that because this thing is going to have a private key on it and we want to actually protect that if somebody gets a hold of the actual virtual disk image we don't want them to be able to spin it up on another actual computer and get access to the key so for that reason by encrypting the actual hard drive it means every time this virtual machine spins up you've actually got to put the actual key in uh to decrypt it then once it's up and running obviously you'd have to log in to be able to use it and so on so it's a bit of extra security going into that uh the other sort of questions you'll be asked for a route secure a route password which will obviously want to make that long and secure you'll be asked for a user account again you'll want some obscure user account for example something not too obvious a long security password as well for that which is different to what you use for the route and then it's a case of it'll also probably a host name although we could change that afterwards um you can be a bit more like security paranoid i suppose when it comes to building this i mean i've got this actually connected to the actual switch it can actually ops within the settings for instance to not connect that so the interface exists it's just not connected you could for example not put the ip address in when you actually configured because the network card won't be there you could just leave it on dhcp for example in which case for me it's not going to get an ipad so even if it does spin up on a network and there's another computer there there's no ip address to talk with us there's all sorts of different ways you can be extra secure but for me i'm quite happy to have this separate network there's nothing the only thing attached to it is the apache server which is down the firewall which yeah okay the management server could get into this which it's going to be able to anyway at some points i'm not too fussed about that but i think that's about as far as i'll go in terms of that aspect of the security when it comes to the software to get installed it does ask you if there's any particular software you want to install i mean it does ask you for example if you want to open ssh release the bundle does and i will to get that installed because i want remote management into it so i do my copying and pasting but any other software i'm going to deselect now by default it asks if you want to install standard utilities now i don't need those so i'll deliberately deselect them the less things that are on this machine the better really so the idea is spin-up is just a bug standard of bundle and server it'll have open ssh on it so i can remote into it and then we'll just install and you well we won't install anything really other than to update the software after that and just run the basic open ssl basically everything else is already on as we need it so i'm just going to get on with building this machine and then once it's ready i'll bring you back so we've now got ubuntu installed on the computer and what i've actually done is to install the updates on the computer as well so we're now pretty much ready to go but before we actually start delving into urban ssl how to start creating certificates citing them and so on i just need to make one or two changes first just to get things started so at this moment in time this is the only computer within the build network and only the management server can get access to it but i still want to tighten up the security so for that reason i'm going to enable ufw so that's the actual software firewall that we're going to be using in linux now the actual user account i've got here is kind of obvious almost update but because there's a video i just want to keep things nice and simple but i would suggest coming up with something you know slightly obscure just to confuse people basically make it harder to to be able to log in now now that ufw is enabled what it means is that this computer can get access to things but nothing can get remote access to it because if i actually ask it for the status it shows yeah it's active but there's no rules applied so there's no inbound access allowed so i do actually have to make a change to allow the management server to get access to it again so i will do sudo ufw now i'm going to use the limit command which is very useful for ssh because it's going to limit the number of attempts you're going to get if i use the allow command yes it will allow ssh access but if you've got some sort of automated program that's constantly trying to log in whereas for the allow command commander just keep allowing it a try the limit command is only going to allow a certain number of temps then then it's just going to block access from that ip address for a period of time so it's pretty useful in that respect so what i need to tell it is what protocol is in this case it's tcp that we're using for ssh i need to tell us where we're connecting from so it's 172 16 18.10 i need to tell it where we're connecting to now this particular computer only has one ip address it's only got one network card so technically it wouldn't matter if i put in any but it always appears to be more secure because you never know what's going to happen somewhere down the line so in which case i'll put its own ip address in to be more specific now i'm just going to get that when you go back one thing i then need to do is tell it the application allowing access to so it's port 22 which is used by ssh so if i then ask for the status again again yet ufw is active but i'm restricting access now to ssh so i'm allowing it i'm allowing access from the management computer but i'm also going to limit it any other attempts to get access to this computer are going to get blocked now before i now jump across to the management computer i think while i'm here i'm just going to make some last minute changes before we actually get started with open ssl so the way this is all going to work is that urban ssl is an application it's not running as a service i need to store information on this computer things like private keys certificate certificate requests and there's no point putting that into some sort of shared area if all i'm going to do is log in as the actual you know say admin user in this case and then just run open ssl from that user account so for that reason i'm just going to leave everything in within the home directory but i want a nice orderly structure where we keep things to my life easier so i'm going to actually make some folders i'm going to make the ir i'm going to use the dash p parameter within there which basically says that if i specify a folder in here which is a parent folder and it doesn't exist well create it so the reason i'm doing this is it just means i can create a folder and a series of subfolders in one line so it makes a bit easier really so i'm going to call that for the c because it's a certificate authority we're going to create and then i want to create some subfolders so that's the reason why i want the dash p because if i try to run this command without the dash p it's just going to bark because well let's see it full doesn't exist right i want a form called private which is where we'll store private keys i want to call it called certs which is where we'll store science certificates on another folder called new serves which is where urban ssl stores certificates so we'll be outputting to certain um well we'll be out when we actually run this open ssl command will tell it to send the output of the signed certificate to our search folder but it'll actually create a buckle in that new sets folder for us i do also want another folder called csr and that's going to be our for our certificate signing requests now part of the reason for doing that is with some of the actual applications and systems that are out there i can actually do everything on this computer i can create a private certificate i can create a certificate citing a request i can then run open ssl to then generate a signed certificate and then all i've got to do is effectively paste the contents of the private key as well as the actual signed certificate back to that application for example so it makes sense to be able to keep everything on that computer another option is well at some point certificates do actually expire now the actual signing request doesn't really change it's always pretty much the same so what i can do is by keeping the signing requests on here even if i do have to generate a signing request on another computer i can upload it to here keep a copy of that and then when i need to create a new science certificate i've got the actual request already ready to go so it makes life easier both now and further down the line that creates our our folder ca plus all the subfolders so if i do ls dash l unfortunately for some reason the console that we've got gives you you know directories and kind of a dark shade of blue so a bit difficult to read but if i have a look in the actual folder itself there are now four subfolders so it's created everything for us which is great the only problem we've got is that a private folder which is where we're storing private keys it's allowing read access for example to that folder to the other group which is well it's not a really a good idea because that's all you need basically if you've got read access of a private key then well yeah it gives you a bit of an advantage that you shouldn't have so we don't want that we don't want anybody other than this ca admin user getting access that for us so for that reason i'm going to make a slight change to the permissions uh do it in the both so that you can see the output now basically that number there's different ways you know you can do this but i'm doing it with the numbered approach which basically means seven is basically everything zero means nothing so what we're doing here is we're actually going to assign the owner all rights uh the group no rights and other or everyone no rights and i want to do that specifically for the private folder so it comes back and tells us well it's changed those rights from 775 to 700 basically and that's pretty much what we want so if i go back and ask it you can see down the left-hand side how the c admin user in other words the user account the owner of that folder has got to read write and execute permission everybody else including the ac admin group and members of it doesn't have any rights that's exactly what i want now when it comes to open ssl it's it actually keeps track of serial numbers that it assigns to certificates it also keeps the status of certificates that it's assigned plus all the actual certificates assigned it keeps track of all these in certain databases if you will pretty just flat database is nothing complicated uh just files so when it comes to the serial number it just needs to be a number basically but what we can do is just throw in say some hexadecimal number for example so that when that serial number goes out it's not so obvious and so i can actually use the open ssl command for that i will use the random option in there but i'm going to use hexadecimal 16 characters for example and i'm going to output the results to a file called serial in the ca folder so it's now created that we didn't get any feedback because the output was sent to ca serial so if i actually ask it well what's what is the contents of that file layer that we've created called serial and you can see it's just one big long hexadecimal number now when we actually run open ssl the way we're going to actually have it configured is that we're going to be telling it to that to actually go to this file called serial for the next serial number for the next certificate just to assign so it's it's actually pretty simple to be honest it's just going to come to this file take that number assign that to the certificate when it gets signed it's then going to increment this number to a different serial number and it'll store that in a serial file so again it doesn't necessarily have to be hexadecimal but yep we're doing that just sake of making things a bit more complicated and for anybody trying to guess you know some sort of sequencing numbers for example now one of the file that i need is going to be an index file so this is basically the index if you will or database of the actual certificates that open ssl has created or at least within this folder for us when it's being used so when we're actually beginning it doesn't actually need any content so that's why i'm using the touch command i'm just saying basically just create a file called index in the c8 folder so if i actually ask it well what's the content select file it comes back as empty doesn't need anything in it because when we run the index file open ssl is actually going to populate it and so that index file is going to keep changing it's going to get bigger and bigger as more certificates get added it'll give you details about the certificate that's been assigned and a serial number that's been assigned uh what the actual common name is for example uh what the actual status of the actual certificate is and so on so there is a bit of a database thing going on here but that's pretty much it as far as i need to go as far as the initial setup because now we actually need to get started with actually creating certificates and so on but the very first thing we need is an actual private key because we have to actually be able to sign certificates in the first place and we actually sign them with a private key now we're actually remotely connected into the actual root certificate authority uh through our actual management computer one thing i'll actually point out though is that i'm actually connecting in through vmware's remote console software i just minimize this i'll come back to actual esxi here when you actually connect in through the console you've got options you can either connect to the console through the web browser or if you click on the console option here there's another option which is to launch remote console so that's this vmrc software the only problem is if you're just going through the the browser console you can't actually copy and paste even if you put the actual guest tools installed you still can't you know copy and paste uh into an actual console through the web browser so for that reason i've actually downloaded this vmrc software and installed it but it doesn't actually run you don't run the application then start connecting instead you just go to esxi pick out the virtual machine you want then you click on console and then you click launch remote console that then launches the actual application which then gets me a different kind of console session if you will so now the good news is i can actually copy and paste into this terminal session so i've logged in as ca admin uh into that server it's the only user i've got on there anyway but it means i can now copy and paste and that's very important because the next thing we want to do is to create a private certificate key for example there's going to be configuration commands and all sorts we need to put in later on and copying and pasting is going to be extremely important so because i've got this software installed on my linux computer i can do that now so the reason we want a private key on this computer is well the whole way this cryptography works is it's based on using a private key to sign certificates so the idea is our root certificate authority is going to have a private key it's then going to have a an actual certificate created and we're then actually going to sign that certificate with our private key and we'll then trust that certificate but the key factor here is you need a key to sign a certificate in the first place now once the computers out there trust that certificate they'll then trust any other certificate we create and sign on this computer using its private key so the private key is very very important you don't want to lose it and you don't want anybody being able to compromise so this particular computer that i've built and the hard drive is encrypted so it's a case of even if you can get a hold of this hard drive itself you're going to struggle to be able to decrypt the contents but even if you could i'm going to go one step further and i'm actually going to protect the actual key that i create so that not just protects it while the actual computer is at rest but also while it's actually up and running if somebody could actually somehow get access into this computer or if somehow the actual key got off this computer and went somewhere else by accident it'd be a case of you'd need a passphrase to be able to use the key so for that reason i am going to copy this command from my computer that i've connected into on this management computer here which we're then using the ssh into this ca server i'm just going to right click in here paste and we've now got a little command here so basically what we're telling it to do is to run the open ssl command now one thing i'll point out is i'm in the ca folder actually and if i go to ls dash l these folders do show up a lot better than they did when i was connected into the console of the actual server itself they're in a lighter shade of blue which is a lot better but i'm connected into this specific folder because everything that open ssl is going to be referencing is going to be found in this form so it makes sense to actually you know park yourself here so we've i've switched over to that folder and every time i want to use the open ssl command i'll just switch into this folder so again just do a quick paste so to create the actual private key we're on the open ssl command and we're telling it to use the rsa algorithm so gen and rsa so i'm telling you to basically generate a key using the rsa algorithm now over here we've got an option dash aes256 so we're using the aes algorithm 256 bits and we're using that to actually secure the actual key now the key itself we're actually telling openssl to send the output to our private folder and to a an actual file which we'll call root ca dot b by putting this parameter in here this aes-256 uh here what i'll actually do is it'll send the output will create this file and it'll actually protect it with an actual passphrase when i hit return it's going to actually prompt me for a pass phrase and it will then ask me to confirm that pass phrase and what it'll mean is we'll end up with a file which if we actually want to use that key going forward every time you want to sign a certificate it's going to prompt us for that same password so we'll you know it's a password we want to know um to be able to use again so it's a case of if this protects the actual key itself even if somebody does manage to get access to it you can't use it unless you know what the passphrase is and to be extra extra safe for ramping up the actual size of the actual key that we're creating to 4096 bits now on a server a key size like that at the moment doesn't usually make all that much sense typically you'll find to be about 2048 bits because the idea is that a server is going to be regularly using its key and to be able to sign things encrypt and decrypt traffic so on a server it doesn't really make sense to have a very very big key size because it requires much more processing power this type of key that we're creating is just being used to sign certificates on the other hand so it's only going to get used every time we need to actually create a certificate so it's it's not that big of a deal about the actual size of the key so it makes sense to to make a you know big key size so i'm just going to hit return off it goes and creates the key so it says there it's generating rsa private key now it's now prompting me for a passphrase so that was just went through a process of generating random numbers um i'm going to put in a passphrase now what i would suggest is to make this a very long passphrase put it into an actual password database and keep that very secure that makes it much much harder because this is a video i'm more prone to making mistakes in which case i want to try and keep this as simple as possible for me but in a in a real production environment even an actual training lab even on your own home network it still makes sense to use very very strong um passwords basically so i'm just gonna hit return and now he wants me to enter that same passphrase again just to confirm it okay so unfortunately i did actually type the right one twice so i've now actually got a key so if i have a look in that folder uh i wouldn't want to be using slash because it's not this root so you can see it's actually created a key it's called root ca.key you can call it whatever you like it's a target for you but because it ended in that private folder only ca admin has access to that actual file and and that's because we set up the actual permissions early on to actually restrict who can get access to this folder so this makes a lot of sense i mean we're being very very careful in terms of security and since it's you know the hard drives encrypted the files also being protected by an actual passphrase so the downside that i've got is every time i want to actually generate this certificate whether it's a certificate for a server whether it's going to be a certificate uh for itself i have to remember what that passphrase is i have to be able to put it in i'm always going to be prompted with all these commands but it is well worth it for the security because everything hinges on trusting this one computer if this computer gets compromised yeah it all comes down like a pack of cards but the good thing is we now actually have an actual private key we can use to now start signing certificates now the next thing we need to do is to actually start generating our own certificate request which we'll then sign but before i even do that the next thing i actually want to do is to create a configuration file that this computer will be using as an actual certificate authority there's a lot of parameters go into running that open ssl command and life is a lot easier if you put most of that into an actual configuration file it makes the whole process it was this far less information you've got to put into the actual command itself you just reference it back to the configuration file so what i'm going to have to do is get my actual config file and then paste it onto this computer and then what i'm going to have to do is actually use that to actually then start creating things like generating the certificate requests we want to be able to sign certificate requests as well to generate the actual certificates now made the screen a bit bigger uh hopefully you can see a bit better but what i've got here is a configuration file for our root certificate authority the idea is that we can actually run the open actual open ssl command and we'll be able to reference back to this configuration file rather than having to keep putting lots and lots of information into it so there's a lot to cover almost standing in here but i'll i'll touch upon certain things that are particularly important at least the ones that are they are anyway so whenever you actually use open ssl as a certificate authority it's always going to reference this that's what this ca bit means you run the actual urban ssl command and you put in the parameter ca and that's when you're referencing this config file that's where it knows ah yeah you want details about the certificate authority and then in that particular section as you can see it's then referencing another section which is ca dash underscore default so this contains various things like the directory so that's the basically the root uh of the folder that we're in if you will um in our case it's actually the ca folder so telling it certificates go in the certs folder new certificates and new certs the database is an input file called index your serial file is called serial we've also got this entry here which is rand file with this is basically an actual random file uh or rather this is where the actual computer is going to generate random numbers that it uses for uh for its cryptography purposes so we're actually going to get it to work on this file every time it's you know generating random numbers and so on it needs a file to be able to store all that sort of information in so that's what we've got this line in here for and then down here we're telling you what the certificate is what the private key is so these are these are the ones we're going to create i mean we've already created our root ca dot key we're yet to create the actual certificate itself but we'll be using this configuration file to do it hence why i've created this the actual config file first pretty much all of the things we're going to be doing is going to involve shark 256 that's why i'm using that default ds 365 typically because of the way i'm working is i'm going to be mostly generating service certificates we don't have um two layers if you will of certificate authority so i'm just going to be creating mostly service certificates which are going to last streams in 65 days so i don't have to actually reference that when actually create certificates i can just reference it to the config file and it knows that the actual expiry is going to be in 365 days time we then have what's referred to lowered down a service distinguished name here so these are all the basic these are all the details about the actual company and the computer itself but this all gets referenced further up here by what's referred to as the policy and it's actually asking what is the policy that you're operating so we're referencing a section called policy underscore strict because this is a strict policy that we want we want the country name to be supplied we want the state or province name to be supplied the organization name has to match our actual organization name that we're actually using with this certificate so when we create this certificate we'll actually give it a particular name and we actually want to use that same one for all of the certificates we create going forward now the thing what you can do is i mean this is all intelligent to you as to what you do but for me all of this is all within one local network so this makes a lot of sense now if on the other hand you're you know working in a company and you're going to have offices in different countries for example different departments different branches you'll probably want to change these and make them a bit more loose if you will so you may not necessarily want the organization name to match because you might have multiple companies within that main company so you know it's entirely up to you but in my case it's just a lab so i'm just going to do that we then get into an organizational unit name which for me it's not that important so i'm just leaving that as a sentence optional you don't have to put that in you will be prompted it's up to you when you supply it the common name is well we don't necessarily know what the actual name of the computer is in advance so for that reason we're just going to say that it's supplied it is a very important name because this is for server for example this is the fully qualified domain name like you know www.microsoft.com that's what's referred to in the certificate and as the common name the idea is that when you actually connect to the actual computer you connect to it to it through its domain name and that's what certificates got to align to most of the time you can use ip addresses but most of the time you'll be expecting to connect through the domain name and then the email address again i'm leaving that is optional now all this information is important to the actual company that's actually providing the certificate because they've actually got a vet uh the requester against you know the public records to so it's a case of do you actually own that domain what are your business credentials are you a legitimate business for example so that's what all this information is for it's not just specifically for the server it's a case of does this server actually exist and who does the server belong to is the person requesting the certificate the actual order all of those are important things to when to go into this actual certificate request uh so that's very very important for that reason because everything's based on trust you're trusting the certificate authority server and you're you're relying that on them to actually fit and the people who are actually requesting these certificates that ultimately are going to be you know connecting to their servers with so it's a case of yeah this is it is very very flexible in terms of what you do it depends on what you're going to be using the certificate of authority for but for me i've gone for a relatively strict policy but that's what that is it just references basically that and then that references later on down to this so this is another section that we've got which is the req whenever you actually place a request for a certificate uh service certificate for example within open ssl will be a an req command or parameter so whenever it sees that it will be referencing information on here so for example and i'm just going to use a default size of 2048 bits so rather than me having to keep putting that into the command line every time it's there as the default same as the message digest again sha-256 but it does need to reference this distinguished name which is this block lowered down so what that basically does is whenever you actually ask it to generate a certificate and signing a request it basically looks into this section here ultimately and it's saying well i want to know what the country name is and it gives you that and in the left-hand side what you'll see i mean you'll see as we go along but in the left-hand side you'll see this information where you'll be prompted for the country two-letter code down here we've got the default settings so these are applicable to me and so for example the default country name is going to be gb uh the default state or province name will be england the organizational name by default will be templar that's what i've called it because it's my temporary love so you get asked all of these questions these are the default settings the idea is when it actually asks you about what's the country name if you don't actually enter anything then it'll just assume you want it to be gp uh same as the state of province it'll assume you mean you want to use england it does actually tell you what the defaults are if you just hit return so while those sort of options like the organizational unit name we in the email address we don't particularly care about you will still be prompted with them it's just entitled to use to what you provide but within a real certificate and a real certificate authority they will want to know what your email address is in case something doesn't work if they have any problems they need to know who to actually contact so that's what the email address is for for example down here we have another section which is b3 underscore ca this makes sense when you're actually creating certificates for an actual certificate authority if i go a bit further up there'll be a section if i can find it where it actually references there it is there the x509 sec extensions whenever you're creating these certificates it wants to you know sign it with certain extensions based on x509 which is the uh system we're using here so whenever you put in that x509 setting there it's a case of you've got to tell it what to you know what the settings are so there's all sorts of information you put in but what i can do is i can just reference it to either this section free for example if i wanted to create an actual certificate authority certificate if i want to create a user certificate i can reference it to this section here if i want to create a server certificate i can reference it to this section here and you can see there's various different settings depending on what it is you actually want to you know what type of certificate you want to create but by default because most of the things i'm going to be doing is an actual server certificate i've got the default settings set the server cert which is this section down here so i don't particularly tell it which type of certificate we're interested in it's just going to revert to you know issuing a server certificate but anyway that gets us our configuration file which we can now use to generate our own certificate and server requests or any other for that but also to be able to sign certificates as well so we've now got a private key and we've got a configuration file that we can reference so the next thing we actually want to do is to create a self-site certificate because that's basically what it's you know what's at the heart of all this is we're going to have a self-signed certificate because ultimately there's nobody out there can trust the actual root certificate authority this is not possible you've actually got to trust a self-signed certificate from ultimately the root certificate authority and then you trust all the certificates that it signs going forward so the good thing about ssl is we can actually bundle things into one command line so i'm just going to copy this command paste that into the command line and explain what all this means because basically what we're doing is we're actually creating the certificate signing request and we're actually signing that certificate signing a request to ultimately give us a self-signed certificate all in one line so we're running the open ssl uh command back here and then we're placing a request then referencing it using the config parameter to our root.ca.com file that we just created now because i'm actually going to be creating an actual certificate authority server certificate and the actual config file is set to by default actually set up certificates for servers i've got a reference and i'm going to tell it to use the extensions v3 underscore ca so that's what you know if you go into that config file you can see there's a section called v3 underscore ca which references certificate authority servers now i'll actually go to sign this actual certificate signing request so i'm giving it this dash key parameter to point it to the actual private key here so that's the key that we created earlier which is in our private folder i want to create a new certificate here and a new request and i want to use x509 as part of the process so in that config file as details about x509 by default for us it's referencing server keys hence why i've got to have that extensions in there another setting i've got to put in as well is the number of days for expiry typically with a server uh you'll probably have like 365 days so by default i'm running the config file with a setting of 365. for an actual certificate authority server now if you have a route you might be using like 20 years or something um for a sub-certificate authority or in our case we've just got one server we're gonna go for a bit less of 10 years the chance of this thing still been around in 10 years has slimmed and non-existent but you know you can be a bit more flexible you don't necessarily have to go with that amount you can put in more if you like put it less entirely up to you now the actual final result is the actual certificate itself this is going to be a self-signed certificate uh for the certificate authority that we'll be trusting so for that reason we need to tell openssl to send the output somewhere so we've got this dash out otherwise it'll just pop out on the screen basically and we want to put it into the certs folder and we're going to call it root c dot crt now the name at the end is entirely up to you there's a lot of different names get used out there the actual format is always the same at this pem format so it's entirely up to you what you want to actually call that but that just happens to be one of the dynamic conventions that gets used so i'm going to hit return not surprisingly because we actually protected our actual private key with a passphrase it's now actually prompting me for the actual passphrase because we're actually asking this to create a signed certificate with a private key and because of that i need the actual passphrase so i'm going to put in my passphrase and because we're actually generating this self generating a certificate signing request we've got to go through this process of actually answering the questions for the distinguished name or dn if you will this is all the information that a business is going to vet uh the actual requests are full it's all the information that's going to go into the certificate so that the user who's actually you know looking at the certificate on the server can actually check if it aligns with what they expect so like i was saying um earlier it's a case of we've got all this information that we've put in the config file so for example we've got the details here saying oh couldn't rename two letter code and by default it's giving me gb uh so if i just hit return then this certificate signing request is going to use gdb as the country name i can change it to something else but in my case that's exactly what i want so i'm just going to hit return it then asks for my state or province so for me the config file is set to by default england so i can just you know accept that if i wanted to and then hit return it's now asking me for a locality name now i didn't put any details in the actual certificate or rather in the configuration file i should say for this i didn't give it a default setting and it's also something that i'm not overly concerned about so by default it's just black so if i want i can just hit return just accept that for the organization name we did put a default in there for temp called template so in my case that is what i want so i'll just hit return it wants an organizational unit name again i'm not too fussed about that i didn't set a default setting so i'm just going to hit return now this is where it gets a bit interesting because it's asking for the common name so if you connect to a web server for example that would be the fqdm that's the fully qualified domain name that you would typically type into your web browser to connect to the server you can set these up for ip addressing if you like but or at least when it comes to the ultimates i should say because typically though a certificate especially these days is a lot more strict really wanted to be using fully qualified domain names now this particular certificate is a bit different in the sense that this is a certificate authority certificate we're not actually going to be using an fqdn for example to connect to this computer so we don't actually have to have an actual name that lines up with something that we're going to be using so we can just use something that's a meaningful name if you want and it doesn't even have to be a fully qualified domain it can just be a host name for example it could be anything you want as long as it provides some sort of meaning to identify um what this certificate is basically for and who it belongs to so for that reason i'm just going to call this one root ca so again i've got no domain details in there i'm just calling it roots here because this is my certificate authority so i'm just going to hit return it now wants to know well what's your email address again i'm being a bit flexible here i don't particularly need to know if you were doing this on an official certificate authority server that is information you would want to know um but as i say in my case i'm not too fussed so i'm just going to hit 10. and that's it so if we do ls slash certs for example uh don't want to slash because i close the route you can see there's now a an actual file out there which is called route ca.crt so that is actually the actual public certificate um that now belongs to this server this is the certificate that we're actually going to be trusting going forward it means to say the actual you know extension can be quite flexible it's not that important for more systems i should say but what i can do is i can actually run another command because if i if i actually just read that if i do um search slash i can just tab that out and that's just gobbledygook it's just a bunch of random letters numbers it doesn't really mean anything to someone like me i have no idea what that means but what i can do is i can actually use urban ssl to actually read that certificate and make it a bit more meaningful so if i use the command open ssl i'm going to tell it want to use x509 because that's what we're interested in is this is the next 509 certificate i don't want the actual outputs coming out to um for this particular uh case it's a case of i don't want to you know send the results off to an actual um specific file for example i want to see it on the screen and i also want it in a text format so it's new or something that i can actually see and it makes it more easy to read and then i actually have to tell it what the actual file is that we're reading in so i'm referencing that certificate that we've just created now if i hit return it's just gone off the screen now fortunately i can scroll up the screen if i want to another option is i can just type that out tomorrow for example and it'll actually pause it so what we've got here is it's saying oh well this is a certificate say that's the first line so it's telling us that we've got a certificate i'm going to scroll down a bit uh we're using version three for all the same process here for the certificate authority stuff it's giving us a serial number for that certificate it's telling us that the actual algorithms sha 256 now the issuer of the certificate so that's the the actual certificate authority that signed it the country was gb um the state or province was england the organization was templar and the actual common name or fqdn whatever that would have been is root ca so that's exactly what we'd expect now the validity of the certificate which is basically around the actual expiry information is saying that this particular certificate is valid from this particular day this particular time to this particular year and then that's the expiry so you can't use it before that time date and once you get past this time and date the certificate will expire it's not surprisingly it's 10 years into the future because that's what i've asked for an actual 10-year certificate now the subject is basically the server details that requested the certificate in the first place now in our case this is a self-signed certificate so not surprisingly the subject and the issuer are exactly the same it's a self-signed certificate root ca which is our computer created this certificate request and then signed it using its own private key so that's why those two are exactly the same when we create server certificates you'll find that the subject well the cn will be the fqdn of the server but then uh the issue of the certificate will be root ca so i can just hit space it gives us a bit more information about the x5093 details this is all this stuff that we've been putting into our config file for example one of the key things is that where it says ca equals true basically so what it's saying is this certificate is actually a certificate for a certificate authority on a server that should be false we don't want that to be an actual certificate authority and certificate we do not want uh servers out there spinning up their own certificate authorities or anything this particular server could but it's a case of well we're only using like you know one branch level this is the route and that's it but it just means that this could potentially be used to create other certificate authority servers you can basically create anything um so that's pretty much it we've now got private key so we can sign certificates going forward but we've also got a public certificate now what we want to be able to do is well we want to be able to test this we need to be able to actually test that our computer will actually even trust this actual certificate and when we sign a service certificate we even need to be able to create a service certificate assigned in the first place so that's the next step is to actually create an actual certificate for a server now if you want to actually give an actual computer or an application an actual certificate that you're going to be able to trust you have to actually generate a certificate signing request and to generate an actual certificate signing request you need a private key now it really depends on the actual application and it's different ways to go about all this uh fortunately we've got this standard system in place when it comes to creating these keys which means for a lot of the systems that are out there we can actually create the private key and the certificate signing request on our actual certificate authority server and that's especially true in the case of say like this apache server we're going to be testing against that's just another ubuntu linux server so it's pretty straightforward for me to actually do all this on this server send all the results to that other server and then we can test it from there but again it varies so this is just an example of how you can actually do that you know using open ssl and linux so the first thing i've got to do is to actually create the private key for the server in the first place so i'm going to run this command i'm just going to copy this command kind of similar to what we did for setting up the private key for the certificate authority server we're just being a bit more flexible when it comes to the bit size because if we make it too big it's going to put a much bigger load on the actual server so 2048 seems pretty much the norm these days what you might notice is that we've still got this gen rsa command here and we've still got an out parameter tell it where to send the actual um key to but one thing that's missing is the dash es 256 parameter and that's just because we don't actually want to protect this key with an actual password because every time you want to use the key which means every time you want to start the actual server for example you'd have to put that password in which isn't all that practical so for that reason we're not going to protect the key we're actually going to still generate a key we're just not going to protect but it's a case of you still want to guard that key it's private to the actual um server that's going to be serving content so pretty straightforward open ssl gen rsa dash out we're outputting to our private folder and we're going to call this test server dot key i'm giving it a bit size 2048 and that's it pretty straightforward didn't prompt us for a passphrase because we're not protecting it now when it comes to actually getting certificates for service we're not actually creating self-signed certificates we're going to get a certificate authority to actually sign a certificate for us so for that reason we have to generate what's called a certificate signing request that gets sent over to the actual certificate authority server to then sign and create an actual certificate that the server will use the only thing is google well they've introduced a bit of an extra requirement when it comes to certificates that it expects from servers and that's to do with a subject alternate name because potentially computers can be presented as multiple different names you might see it as one fqdn or then another you might see it as like p address and google wants all of that actually included in the certificate so it's not like where you can just generate a certificate signing request and that's it with the command you've actually got to feed it a bit more information to put in the certificate so to make life easier we're actually going to create config names specifically for this first so what i'm going to do is just do the copying and pasting so i want to create a file i'm going to call it test server dash csr.conf and then i'm going to do some copy pasting but i'm gonna have to i'm gonna have to tidy this up it always ends up a bit messed up depending on the um transfer because these are all tabs basically and sometimes yeah they end up just being converted from tabs to spaces so it can get a bit damn a bit messy so basically what it means is that when we create an actual certificate signing request we're going to actually reference it back to this config file because ultimately what i want is i want to be able to point my web browser to a computer called test.templab.lan ordinarily until google enforced this in its web browser that's pretty much all they needed but then they threw in this extra requirement for this subject uh alternate name so you do have quite a bit of flexibility you can call it you know whatever you like and you can have it uh you can have like options for fqdns or you know but the first one we've got references back to the actual common name so that's what we've got there is a dns entry so if i connect to this computer as um you know with test.templab.lan that's going to satisfy google's requirement for an ultimate name for it if i don't put that in the browser's just going to bargain me uh i do have other options i can put more than one dns entry i can also even put in ip addresses so that's an ip address entry so i can actually put in its ip address and even um reference the server through its ip address but basically i'm just putting in some defaults backed out there i'm referencing the section you know this section up this line up here references this part here this line here for the extensions references this one here that one in turn is referencing this one back here but one thing i'm going to mention is the fact that i've got an another line in here which says that the prompt is no in other words there's no point prompting me for all of these distinguished name information it's all contained here anyway so it just saves me a bit of hassle so i'm just going to save this file and i left it in the csr folder because what we'll find out is that when i actually create the test certificate or rather the test service certificate i actually have to reference back to this file so even though the information for this subject alternate name has actually been put into this um certificates request it doesn't get carried over to the certificate later down the line which is a pain so when i actually sign the actual certificate i've still got a reference back to this config file which kind of makes sense in that i should really want to have the certificate signing request and the config file on my server and in this case the whole thing's a lot easier anyway because i can actually do the certificate signing request and create the private key and sign the certificate all on the computer so now that we've done that we've got a config file the next thing is i'm going to copy over the actual command where we're actually going to sign this actual certificate signing request because that's what you'd have to do so we're seeing a request for a new basically a new certificate signing request i'm pointing it to the key which in this case is the test server key that we've actually created now i want this to be using a message digest of sha 256 uh i want the output sent to our testserver.css file so that's what that out parameter is and i'm referencing it to the config file csr test server.csr.conf that we've just created so when i hit return nothing comes back the reason being is when we create that config file there's an entry in there saying do not prompt so it's not actually asking me for more details about the distinguished name about organizational units email addresses and all that's on conf it's all contained within that config file anyway so it makes life a bit easier and the good news is is that when this certificate actually expires i can just keep referencing back to this same information going forward now just to point out and just to be clear you don't actually have to have that there um i think it's somewhere down the line i think browsers at least the vendors were kind hinting that they weren't going to be accepting certificates with private ipa addresses the one fqdns but you know we've got flexibility italian people to us but what i want to do is before i actually do anything with this actual certificate request i can actually test it because if i just look at that particular csr so if i just do say more csr test server dot csr again it's just it's just gobbly good to me it doesn't mean anything but again i can actually read it and so i can actually get it to read in that csr file we don't want an output into a particular file i want to read it text format but i'm going to pipe it out to grip and i basically i'm asking it to add an extra line so once it finds this there's any subject i want to see what the next line is so rather than literally going through the whole certificate i'm filtering it out so if i hit return you can see it's highlighted there's a line in there saying subject alternative name and it's giving me the actual actual details that's been included in the certificate and signing request so we've now got our certificate signing request and what we'll now be able to do is to actually get to use this um with our certificate actual authority server to create an actual signed certificate for the server so now that we've actually got a certificate signing request for our server the next step is to actually create an actual signed certificate that server can use so because we've actually just created that on this computer itself we don't have to transfer it from one device to another so it's just a case of ruining the command to actually generate that signed certificate so i'm just going to copy this and then paste that into the command line here so what we're doing is we're using the ca command within open ssl so we want to use it there's an actual certificate authority we're telling it to use the root ca.conf config file that we've got so this has got all sorts of information that we need so when it goes and checks that config file it's going to be looking for a section called ca for example plus all the other sections that go with it we don't want the output coming out in text format because we're creating an actual certificate and we also need to know what actual certificate signing request we're actually going to read in so that's what the dash in parameter is it's referencing that certificate signing request we also have to tell it where to actually create this actual um science certificate so that's why we've got the dash out parameter so it's going to put that into the search folder and create a file called testserver.crt and then what we've got because we've got these subject alternative names we actually have to reference that config file again to be able to carry that information over from the csr over to the actual actual certificate itself it won't do that if we don't tell it about this information you'll end up with a certificate file that doesn't actually include these subject alternative names so here i've got a dash ext file option which is telling it to reference a file called test server dash csr.conf in the csr folder so that's the file that we actually use to create the csr in the first place and within there we've got information about extensions that we wanted to use so that's the req underscore xt section that's in that config file so i'm going to hit return now because all the information about for example a private key is in that config file the root ca.config file it already knew where to go so now it's just prompting me for the actual passphrase because we're protecting the root certificate key not the server key but we are protecting the actual root certificate key so i need to type in the actual passphrase we used when we created that key hit return and then it comes back and it's basically asking us for like one final check to say are you sure you want to sign this certificate so basically we're creating a certificate that's going to last for 10 years from 2021 to 2022 as the distinguished name information including test.templab.land which is the actual certificate the fqdn if you will that that server is going to present itself as that'll line up with the actual certificate but you can also see it's also got the x509 details uh for our subject alternative name in our case we've got the fqdn information plus an ip address but you don't necessarily need it so basically it's just going to be a certificate that lasts i think i said 10 years it's actually one year um but anyway we're going to sign this sort of select yes and it's saying that there's one of out of one certificate here being certified do you want to commit this effectively it's asking you do you want to update the database with this certificate so let's say yes so it's actually created a new entry in its database effectively so if we do ls slash search uh keep using it that's just the search folder we've now got a certificate called testserver.cot uh if we just do an ls l what you'll notice is this that we've actually got some more files here we started off where we've just got an index file and what it's actually done is it's actually backed that file up and it's create a file called index.old for example so that was the original mp file and what it's done is it's then created a new index file within information about this certificate so if i actually ask it what's in that index uh file now you'll see we've actually got information telling us this is the serial number that was used for the certificate the certificate still valid and this is the certificate that was created for a server called test template.lam it's also actually used the serial key it's actually backed serial key up to file serial.old and what it's done is created a new serial key so essentially it's just taken that that was the original key or serial number if you will that was used to create this one so it took that from the serial file we originally had because if we look at that serial file now you'll see all it's done is it's just incremented that by one and then that's that's going to be the cereal that's used going forward if i look at cereal below and see that's the actual serial number that aligns with the cereal that was used for this you know to create this particular certificate that we've got here so we've now got a key and we've now got an actual certificate so what we've got to do is actually get that information across to the actual server itself so it all depends on the computer that you're using for example it could be a case of you might have an application pf sense for example where you can just copy and paste things in i mean this is probably like the private key for example it might ask for if you're starting from scratch but it's a case of that's information you don't want to be out there yes you're going to be very very careful when it comes to transporting this information now for me this is a root certificate server which is running open ssh so what i can actually do is i can actually copy this information back to my computer and then i can upload that information back to the actual certificate server so what i can do is actually open up another session for example and if we go into there if i do for example scp to copy the files there's different ways you can do it tell me but this is one way we use the scp command i can actually say i want to actually connect into that computer that we've got so this is going to be the user is ca admin it's going to be at 172.16.21.10 i want to reference that one folder for that user uh in the c8 folder i want the certs all within there i think it's called test server dot key flip dot and i want to copy it to just this fold here where i'm at at the minute for example so we're basically just telling it to connect in through essentially through ssh more or less uh pull that file out and copy it back to us because we've we've got open ssh running on that service so it's something we should be able to do so i'll just hit return sccp couldn't resolve the horse name all right yes okay let's take that that should be at so i'll hit return so i want to know what password is so it's saying no such file or directory uh so let's see so ce test server.crt what did we actually ask for we actually asked for the key that was my mistake it should be crt because we're actually requesting a crt file again i've got to put in the password because each each connection's unique if you will so we've always got to log in when we do it and now it's actually copied the file across so what i can then do is say well in that case i want the actual private key as well because i need both because we've created these on the actual certificate server itself i'm going to have to copy them off and get these over to the actual server i could have done some of this on the server i could have created the key on there i could have created the certificate signing request on the server but it's you know material potaro so this time we're going into the private folder and we're asking for the test server key so i'll hit return okay password in and now it's copy those two files so i've now got the two files that the server needs but what i'm now going to do is well first things first i've actually got to get the computer up and running and because that's running open ssh i can actually transfer these two files across to that using exactly the same method so we'll get that up and running and then when we're ready to actually test this on the server i'll bring it back well i've copied across the private key plus the same certificate across to the actual test cell we're using and i've reconfigured apache to use them so we're now connected to the web server through in this case firefox now the trouble is well we've got this big warning here saying potential security risk ahead and it's basically well we've connected using https to test which lines up with the certificate if we click on the padlock you can see it's broken but we click on the details go to where it says connection not secure we click on more information then if we click on this you know view certificate it gives us the details so you can see that it has actually loaded in the proper certificate that we wanted it to use the only trouble is even though this is not a self-signed certificate our web browser here doesn't actually trust root ca which is the issuer so we know that we've created this certificate we know it's not a self-signed certificate as such but the browser still does not trust it so we've actually got to reconfigure this web browser to trust the root certificate authority so i'm going to go to settings privacy and security so i'm going to scroll down here and i'm going to start looking for where it is we put out details in social security certificates so interesting of firefox does actually trust osc ocsp responders but things like brave don't and that's basically the reason why i didn't go down this path of having multiple uh root servers because normally i don't use firefox but anyway in order to get this web browser to trust our root certificate authority we've got to go into view certificates now by default interestingly enough it's it's automatically going to authority so this is a list of all of the actual authorities that are out there all this different certificate root servers out there that it trusts so we've got to add hours in so i'm going to click on import and there's our root ca certificate there that i've copied across so i'm going to click on open now it's saying it's giving us options to what we want to trust this for so technically i'm only investing actual websites but i'm going to select both no particular ones not to click on ok and it's now got this particular actual certificate in its in its list should be in there somewhere well what i'm going to do is i'm going to just click on ok because we've imported the certificate if i click on refresh there you go you can see that the problem has gone away and i do like that on my side i didn't have to restart the browser or anything if i click on the on this it's showing informations about that if i click on the actual certificate you can see that the connection's been verified by an issuer that is not recognized by mozilla so i'm still getting that slight warning because it's a an internal certificate authority but the fact remains is that we've now got a clean connection so it's still secure in the sense that it's been verified by templars by us so yeah it's pretty easy to do and it means that going forward any certificate that i actually create and sign for any other web servers any other devices that i've got in there firefox is going to trust it the only thing to bear in mind is that if i've got an application well if it's relying on the operating systems uh certificate store well it's not this is not going to help because all we've done is updated firefox for example what the beauty of it is is that i've now got firefox trusting that route certificate authority so if i've got other servers out there i mean the pf sense for example i could assign an actual uh certificate to that for example and if i connect to that through uh firefox because it's been signed by our templar certificate authority firefox already trusts it in which case it will trust a certificate that's now been applied for the pf sense firewall but i'll just close that and close that down as well if we go over to here so this is brave for example yes this is a web browser i do prefer now you can see we're connected in the test lab and so i've got this warning oh it's not secure i've got a certificate it's saying the certificate's invalid again it's referencing root ca was that the actual issuer of the certificate but the problem is that we've added in a trust for firefox but it's completely independent of our web browser here they said brave web browser so we've actually now got to update this web browser as well if i want to use it on this web browser so again i'm just going to go to settings on here and we'll go down to privacy and security if we scroll down here we'll go to security and within here it'll be an option for manage certificates so if i click on here if you notice there's no option to trust certificate responders at all i'm not i'm not seeing that anywhere within here to say uh trust or csp for example it's just not theirs that's what's causing me the problems but on here by default it just goes to your certificates so i've got to go over to the authorities option i'm going to then click on import again i want to import that root ca certificate now this does give us a bit more option so it's not just websites and email users that even allow us to trust it for software makers for example so i'm just going to accept all of those uh click ok and now somewhere down here will have an actual entry for org template down there so for example so it's it's giving a list of all the actual certificates it trusts um if we want to revoke this and actually delete this for example i'll go into the ellipsis here and just tell it to delete it for example anyway we'll close the actual settings i'll click on refresh okay that that worked as well so that's good so again i didn't have to actually restart the browser to get this to work so again we've got this nice clean connection where you can see now an actual padlock here so i'm not getting any warning about it being insecure uh if you go over to well it's like these sites are down anyways it doesn't really matter um but padlock here is now closed there's no warning coming up about this particular site and tell you maybe if you're going into a bit more details you might get the same sort of warnings like firefox did saying that technically you're coming in through a certificate that we can't necessarily vouch for on the internet but in our case it's it's happy as larry basically um certificates it is valid and so on so it doesn't have any problems he can dig into the details and so on um there is bits of information missing like the organizational unit because personally i'm not overly in in need of that sort of thing but again it means that if i were to put a certificate on wealth actually we go to our firewall not just complaining because it needs a resubmission if i go to the firewall which is pf sense you can see that one's complaining that it's not secure and that's because this one is using a signed certificate whereas this apache server now it's using a certificate that's been signed by our roof certificate authority in which case we trust the root certificate authority so we're trusting this certificate that the actual apache server is presenting so it's yeah it makes life a lot easier so it would be a case of now for me for example i'll go around the pf sense update that any any server that i've got out there that's got either a you know it's a web server or it's a computer that i'm managing through a web browser interface for example it's presenting itself without its own built-in web server i can go around to that update it with a private key and a new certificate in case of pf sense for example you could just generate the certificate based on the existing key and then send that over the root certificate it all varies depending on how you um how you have to do within that specific application but the principles basically the same and what you end up with is this nice secure connection and the really important thing about this is that going forward once i've got all of my computers updated i should expect to see that same response from any computer i connect to on my network if i now connect to a computer and i see that either the certificate has expired or something more serious has gone wrong but that stands out you look at that i've got no issues with that if i go to there straight away you can see that pops up in red and when you're using firefox it's it's like really in your face with that big banner um but that's the sort of thing i want to see is this guarantee more or less that we're connected to the actual server that we expect to be connected to not this this is something i don't want to see even on my own internal network so there you go not that difficult to configure and set up once you can wrap your head around it i suppose it's a bit fiddly in the sense that it's a still a manual process if you compare it to some of the automated systems out there for example where you can actually buy um certificates or you can actually install a software module on your computer that automatically goes out and connects and update itself that is a lot easier on a test lab like this no that's not too bad there's not that many servers that i'm connecting to through a web browser interface anyway so it's not going to take me that much time to to go around and update all of their certificates so yeah i quite like it in that respect but it's a case of you just got to kind of get your head around it well thanks for making it to the end of this video i really do hope you found it useful if so then do click the like button and share because that encourages youtube's algorithm to suggest it to other people who might find it useful as well if you're new to the channel and you'd like to see more content like this then yeah do subscribe just remember to click the little bell icon though that way you'll get notifications when i send new content out if you've got any comments any suggestions if you want to leave any feedback at all please post that in the comment section below and if you'd like to support the channel i've left links to both patreon and paypal in the description below but above all thanks very much for watching i'll see you in the next video [Music] you

Info

Channel: Tech Tutorials - David McKone

Views: 589

Rating: undefined out of 5

Keywords: openssl install, openssl install linux, openssl install ubuntu, openssl config file, ssl certificate, certificate authority, openssl ubuntu, openssl install ubuntu 20.04, openssl ubuntu 20.04, openssl ubuntu 20.04 install, ca server, certificate authority server, openssl ca server, openssl certificate authority server, how to create ca server, how to create certificate server

Id: nOSl4dmywe8

Channel Id: undefined

Length: 101min 20sec (6080 seconds)

Published: Tue Oct 12 2021