Create Your Own Certificate Authority with XCA

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi folks today I'm going to show you how to create your own certificate authority with ex CA XE a is open source software and you can check out our website by doing a Google search or going on stat de for /xc a when you check out their website you'll see that there are a number of precompiled binaries for Mac OS X Windows and Linux if you're running Mac you can install them via Mac ports and homebrew pretty cool once you launch X CA for the first time you're greeted with a blank application like you see here and you're gonna have to create your first database so go to file new database give it a useful name save the file in a folder that you choose and when you create the database you'll have to give it a password remember the password that'll be a good idea now when you create the database you'll also want to set it so that it's the default so whenever you open X CA it will open up the database for you let's go ahead and create our first root and intermediate CA certificates we start by going to create a new template we're going to use the default template for a CA makes it easy for us and then we're going to type in the distinguished name values of our choosing this will make our CAS consistent with each other so type in whatever values are appropriate for your country state locality or city organization name and your organizational unit this is just going to be a template so we're gonna leave the common name and email address blank for the time being we go to extensions there's a number of different things you can add in here for now we'll leave these at the default ten years seems to be appropriate for a root CA so we'll leave that alone key usage the template has already been defined as certificate sign and crl sign we'll leave those at default Netscape of SSL CA s/mime CA object signing CA that'll be appropriate and we can you know give it a Netscape comment to make our cert if it gets a little bit more identifiable when we look at the details everything else can pretty much be left at the default hit OK and we have successfully created a temp for our cas so we'll go to certificates and we'll click on new certificate to create our first root CA certificate we're going to select our new template that we just created and hit apply all which actually sets all of the settings in the above tabs that we looked at earlier and another important fact is that we are going to self sign this certificate because it is a root CA so it will sign itself click on subject and now finally type in lab CA root for our common name can name this whatever you like and we're going to create a brand new key for our root CA will choose 4096 bit and we'll hit create and we'll have successfully created our RSA key this key will be used to sign it's its own certificate we're going to give it an internal name again this is the internal name that shows up on the left hand column in the application and will accept basically all of the defaults that we chose in our template previously if we can click through the rest of the tabs to see if we're happy with the rest of the fields I didn't cover CRLs but this would be the area where we add a certificate revocation list URL but once we're good to go we click OK and we have successfully created our root CA certificate now this certificate will be used to sign our intermediate CA so let's go ahead and start that process they go back to certificates and we're gonna click on new certificate and we're gonna follow the same procedure as we did earlier we'll select our lab CA template and we're going to click on apply all which will set all the above settings as before this time we're going to use the root CA s key to sign this certificate and that will be used to create our chain of trust we are going to then select subject put in an internal name this time lab CA intermediate we're going to fill out the common name into something similar we're gonna make it match in this example and we're also going to click on generate a new key so the root certificate has its own key and their intermediate CA has its own key and this time we're gonna click on remember as a default because the intermediate will be used for all future signing operations well click on extensions and we are going to select ten years as well for our intermediate certificate this will generate a warning at the very end because technically well it's only been a few minutes this certificate will actually expire a few minutes after the root so we're gonna adjust the date and time and continue and after this step we have successfully created our intermediate CA certificate if you expand the root CA you can now see our intermediate CA certificate listed below so it is organized by issuer and as we add additional certificate later on they're going to be expanded underneath the intermediate CA now what you can do is actually export each of these certificates so that you can import them into either browsers or operating systems when you are exporting this route CA you want to be real careful that you don't accidentally export you CA private keys okay we are just going to use either a PEM format or binary format with just the public certificate and we'll do the same for the intermediate CA we'll go ahead and export the public certificate and choose the output format and if you switch over to your finder or your file explorer whatever your operating system you have you can actually take a look at those certificates if you chose a PEM formatted or text option you can actually open up in a text editor and you can see the cipher tags as well as some of the distinguished name attributes and comments if you chose to export them you can also take a look at your intermediate key as well and see the same type of detail and now your certificates are ready for import so now we'll show you how to import the CA certificates and Microsoft Windows if you haven't done it before it's fairly straightforward you're going to open up your file explorer and you're going to locate your root and intermediate certificates if you double click on the certificate the certificate diol opens up and you can now take a little closer look at the details of these certs and you can see the issue to an issued by or listed below and these certificates are not trusted clearly so we're going to show you how to actually install these into the appropriate certificate stores do that we're gonna go to our Start menu click run and we'll type in MMC we will select file and add snap in and we're going to add the certificates snap-in will choose my computer account get finish and click OK and we'll expand the certificate store for the local machine here is the trusted root certification authorities and also the intermediate certification authorities and this is where we will install these certificates so you go to the root CA certificate we'll click on install now click on local machine accept a dialog and we're gonna be specific and place the certificates in the trusted root certification authorities folder and we click on next finish and we're done let's go ahead and close that dialog window we're gonna do the same thing for the intermediate by selecting local machine and we'll place the certificate now in the intermediate certification authorities folder and click OK and you'll see that it's successful now if we relaunch these certificates or if you look at the MMC snap-in again and refresh you'll see that the root certificate is now installed and it is fully trusted and ok if we take a look at the intermediate CA certificate refreshing the MMC you'll see you now appears and if you double click on that this CA certificate is also trusted and it is signed by the root and now with these certificates in the approach certificates tours anytime the operating system or applications are presented with a certificate that has been signed by our CAS then they will be trusted and validated now with Mac OS X it's a little bit different actually a little easier if you open up your Mac OS X desktop go to Launchpad and type in keychain access launch the system keychain and you're presented with a number of different folders on the left you're going to choose the category of certificates and if you click on the system folder this is where you can place all of your CA certificates we're going to open up our certificates that we created earlier and simply click and drag these two certificates into your system store put in your password or use your biometric and if you double click on the root certificate you'll see this actually is not trusted yet click trusts click always trusts close and you'll have to use your password again to save that setting and you now see that the certificate is now trusted we'll do the exact same for the intermediate certificate authority click and drag double click and you'll see that this actually is trusted because we already trusted the signing or the issuer of the intermediate which was our root we'll also change as a trust and we will put in our password accordingly and we are now done for anything in Mac that uses those certificates now Firefox is one of those cases where the application does not look at the system store so on Windows or Mac you'll actually have to go into Firefox's preferences and import these certificates we're going to just open up in Firefox with file open and install the root and intermediate certificates in this way so open file select a certificate hit open and choose to trust these certificates you can actually view the certificate data and see you know what what you're importing and she's okay and now Firefox will now trust your certificate authority signatures and with that I hope you have enjoyed this tutorial as a quick summary we have generated a brand new route and intermediate CA certificate chain we have created CA certificate template for future CAS or intermediate CAS and as a follow-up to this video I plan on showing you how to take advantage of certificate revocation lists that you should add to your templates as well as generating a number of different certificate types and the templates that represent them such as server certificates client certificates a user certificate where you can use that for signing emails and a number of other applications thank you very much for watching take care
Info
Channel: InfoSec Tutorials
Views: 3,648
Rating: undefined out of 5
Keywords:
Id: 1ZJ2DKL_5Cg
Channel Id: undefined
Length: 12min 5sec (725 seconds)
Published: Thu Apr 02 2020
Related Videos
Streamline Certificate Management
HashiCorp
10K
WiBisode: Create Your Own Root Certificate Authority
Kevin WiBit
6K
Computer Vision Game using OpenCV Python | Velcro Dart Board
Murtaza's Workshop - Robotics and AI
80K
Digital Certificates: Chain of Trust
Dave Crabbe
197K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.1M
HashiCorp Vault PKI secret engine demo
Kapil Arora
3.1K
FortiGate 60F HA Cluster Build
Fortinet Guru
1.1K
Vitamin D in Israel
Dr. John Campbell
611K
Create A CertAuthority Final
Larry Apolonio
2.7K
How To Configure PKI for Microsoft SCCM to Use HTTPS/SSL Instead of HTTP
Patch My PC
97K
Creating a Certificate Authority with OpenSSL and ECDSA
StormWind Studios
3.8K
Windows Server Tutorial Teil 7 - Aufbau einer Zertifizierungsstelle
Tobias Wrzal
13K
How SSL certificate works?
Sunny Classroom
522K
Installing XCA as a Certificate Authority for OpenVPN on Windows 10
Mac PC Zone London
1.8K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.