Generating SSL certificate chain in Linux

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome this video is going to be going over a few things relating to certificates and certificates of authority and the keys of those and what it takes to get really we're going to be focusing on the the web server certificate and key that you need to get in order to get your own private party certificate and that is mostly in relation to a company maybe a school a nonprofit organization so that way you don't have to go and buy a certificate of authority from our buy a certificate from intermediate certificate authority who has gone through another you know route see a in order to get this certificate distributed everywhere with a caveat I gotta say that if you if you want to quick an easy way of getting it automatically trusted there is always let's encrypt type that out let's encrypt you can go and google that and that'll give you a few details but let's assume that we don't trust let's encrypt or we we don't know if let's encrypt is going to be around or whatever the case we want to generate our own and distribute it throughout maybe a company and say listen this is going to be trusted here on out by by order of the you know dev team or by order the product development team or something like that whether whatever the case I hope this video will by the end you will have a a certificate that will be generated by you and trusted by all your machines and this material will help you with it so task is to generate a certificate chain with a private certificate authority that we're gonna be generating here the condition is given one Linux machine with root access and that's just for the trust and the web server portion of this anything else can be done really with with a regular user and OpenSSL needs to be on that and we're really going to be dealing only with Linux machines and Apache nginx can be on either one of these I'm really gonna be dealing with Apache it seems to be one of the more standard ones however it seems that nginx is winning more popularity so either way they're they're both really really really simple and I deal with nginx at work and in the past I've dealt with Apache it really doesn't matter so let's move on a standard is to have the certificate by the end of the standard being by the end of this video you should be able to have the root certificate trusted by the machine and you should be able to do these steps here so let's go through the steps step one is to generate a root key and with that key we're going to generate a certificate from that key next is the intermediate certificate authority key and then we're going to be from that intermediate if that intermediate certificate authority key we're going to generate a CSR a certificate signing request with this certificate signing request we're going to submit that essentially to this organization or person to sign this because it's a certificate signing request to sign mat and then in return we will get back a certificate that has been signed so we're going to generate the certificate signed by the root CA I hope that makes sense and a lot of these I've tried to name the files to to make to make sense and be rather descriptive if they're not maybe comment in the video or send me an email or something like that or if you know me in person just hit me up say hey that was pretty unclear and I might revise this video or or make comments all these commands are going to be listed in the comet description and they're also available on my wiki because I like to keep track of things that have my own knowledge base there so we're going to add the certificate and the final kind of step in some of this is to add the certificate this portion requires root access add the certificate to the operating systems trust in the Debian machine that I'm on this is a unique machine it's a CI 20 it's a mix it's pretty pretty neat it's a little slow it really is but you know it does not consume like any any power I'm putting the heat gun on this and it's only 75 degrees Fahrenheit which is 23 yeah twenty-three point five degrees Celsius for for its output directly on the CPU and that is like that's really really not warm at all but this other arm slash BeagleBone I have free over here it was uh significantly hotter but it's a neat little machine but let's not go into that let's go and start talking about the next step which is really from this point on if you are looking at this video from I'm I like server admin or I'm a developer that has a brand new application that's really cool and I want to get this signed Kevin what do I need to do and that is you need to follow these steps here from seven almost on and that is to generate a key on your server or not necessarily on the server but for the server once you have that key you're going to get the to generate a certificate signing request notice the theme certificate signing your quest to be signed by the intermediate CA okay the intermediate CA this will be done by a vendor or the secure the SSL vendor not necessarily by you but here in this case when you're dealing I'm going to do it so what you can see the steps that you can maybe generate your own route CAS and have them trusted by your company or organization as a whole they're very expensive guys so just just think about that so sign that route see a with that intermediate CA that we had up here okay and then we're going to after that we want to verify it mostly because we want to instill confidence with our with our leadership that we know exactly what we're doing and before we touch something we verified that it will work and it looks good we want insure quality when we do our steps I think it's a sign of professionalism and then finally the web server you can skip this step if you're passing this information on to someone else or if you are kind of the middleman or and there's certainly value in that and just knowing what to do so with with a web server portion that is you're going to be taking this this key and the intermediate CAS certificate which is always almost always on the vendors website here's our intermediacy a that can be handed out by apache and that's why I'm doing it with Apaches because with Apache I can have a special a slot or Oriya a configuration line for the intermediate CA and that's the truth on why I chose Apache is that I figured for a description it might be a little more verbose it might help so we will install that on the web server we'll try to verify again actually I should add that right verify again all right moving on to the commands so these are going to be a little slow since it's on this this older really older really it's just a low-power MIPS processor that give me a chance to describe what's going on so with this open SSL we're going to be requesting a new you stiff Achatz a certificate signed by this key here it's a self-signed cert in this case here but with a date is a days are rather long and that's mostly because we don't we don't want to rotate this key all that often we'd rather put it on the machines and keep it there and make sure that people trust this one certificate because we can always generate more of these rather quickly once we have this trusted and ideally this is the only one you need to have distributed out to your machines and sink hey listen guys trust this alright let's go and walk through this this description here and some of the defaults are in the brackets here and we're going to go into us some of the United States I was in the state of Arizona so the southern southwestern region of the United States and I was in Tempe I'm just doing that just because we'll say okay you know Acme or something right Anvil's organization let's do product dev because we produce the products and then I am Kevin I don't need us email there and none of those none of these options here are really required we will kind of get into this one here it's it's unique the common name and we'll get into that one when we get up to maybe the step eight okay so let's go ahead and look at the next command which is generate another key and this one this game again takes a little long but I give me a good chance to explain our next step which is to request a key or a certificate signing request using this key which we just Riaan right here and with that I would get a certificate signing request out the cool thing about all this is that we can all those command all those names and things like that that we filled in we can actually fill in defaults that way that we can make this whole process faster I'm not sure if you're familiar with some environment variables with Linux is that you can pass an environment variable without exporting it for one-time exemption almost you know to prepend that in front of the command and and it'll take that environment variable and use that for that command so it's pretty neat little trick there so let's go ahead and do that because I don't want to sit your type a whole bunch since I've already had most of these commands scripted out ahead of time so that way I wouldn't have accurate fast information for you guys that's a country is going to be us a Z Tempe organization none I really probably should have stuck with a theme and do Acme anvils let's do that it doesn't like that I tried to do control a which in bash will bring you to the beginning of that common name let's do Kevin again so that way you'll see where that will come in point all right so now what do we have we have the CSR certificate signing request generated from that we also have the key and the cert generated from that from that key our next camp command is going to be to have this signed by the root key so we're going to take this and here's a CA option so again this one's slightly reduced in days because ideally I guess we would rotate this one before we add rotate say for example the root key our root certificate and the this option here is to create a serial number and is similar to binds and bind the the name serving daemon the DNS server it will has a serial number option that you need to increment is not necessary but you'll see where it will come into play later when we verify the certificate in a browser it will it will be available or visible and it's it's not necessary but I mean it makes us I guess seem more professional even though this might be for just your own private lab no sense in paying a vendor to have your to pay money for the for a certificate that will never see the light of the outside world in a lab type environment which almost everyone I think should have a lab type of environment so what we're doing here is we're copying all the certs which we really only need to do the routes certificate and add it to the trust with this command this says hey listen anything in here just trust it so look we've added two of them which was what it was the intermediate cert and it was the root cert we added them I I did it just for ease of use that that wildcard there it just automatically added it be careful the wildcards as I'm sure well if we all of us know that up sometimes those can there they're a little eager so to speak all right we're going to generate a smaller length key for our server and we're going to again do the same open SSL environment variable here and organization let's do Acme and fills we produce anvils it will fall on the wiley coyote organizational name prod dev is what we use they're important guys important is the common name here is that this is going to be the name of the server that you will use on it the fqdn or whatever name you're going to be specifying in the browser be sure please be sure you take note of this so in this example I'm going to use host dot local ISM because I'm going to create an Etsy host entry for that for with this information here because I don't want to set up a bind server or a you know say something like what is that another one space on the name DNS mask or something similar I don't want to set it up right now I just want to get this done so alright next command is going to generate from that csr is going to generate the certificate this is the vital step we've been waiting for and we're also going to be incrementing this serial number is going to be generated on the cert we can even make it something different let suppose do 101 you know something like this isn't our first rodeo alright you're also looking saying hey Kevin look shell 1 it's not we should be using that I get it we're going to be using this certificate in another subsequent video and with that I want to troubleshoot I guess you know what the issue is if you're watching this video and you want to watch my future video you'll know what the issue is and it's it's nice to have I guess this option even available to us so we can generate a sha-1 for maybe an older device like a an older phone or an older lab or maybe you still operate a government type token ring network or something I threw that in there for someone and you know that you you need a sha-1 you can generate your own root certificate for all this so that way at the end of the day you can have your devices working the way you want them and it's done what do we have in the current directory we have the root certificates and the serial number this is the serial number it's a you know let's kind of look and see what it looks like can neat all hex all right we have the intermediates TIFF get signing request and key with the keys folks we should probably make sure that there you should really make sure that they're held in a secure location and not readable by the world as in change that modification on it for the time being let's go and leave it it's out of this necessarily in the scope of the document or the this talk here we also have the server certs we're actually going to be passing on this one and this one to the the web server we're also going to be passing on this one okay so let's going on and verify that certificate just that way we're going to do plain text as in you know we're just going text on out we're going to grep for that name that we we typed in because again like I try to bring your attention to it this portion is kind of critical you want that common name to be there and it is our organization is Acme anvils alright and actually this is not valid so I'm those of you that know me I'm a VIN guy but I've been trying to use a Emacs more just so I can kind of expand I guess my I have used Emacs in the past I used to use it when I was very very very long ago my first started on computers because I started off on a 46 and it had no internet connection and I didn't know what I was doing so with Emacs it was actually kind of nice because you can do f10 and this has a menu option and when when I was operating it was on a.m. it didn't have a graphical interface so I was stuck with that terminal Emacs and it had this menu option and I can select exactly what I wanted from all this and plus it had games on it right and I was kind of young and the the snake game in particular is pretty cool so I liked it neither here nor there let's move on and for that combo just so you know I did ctrl shift backspace just get my finger workout in so here I'm going to mention this just for a for the sake of our you know for the sake of I guess fullness and being thorough right is that this is optional but windows clients like to have pkcs5 and these are cert key combos and there they're kind of nice because you can have one file that will contain both of them but no web server that I am aware of even Amazon's what elby's elastic load balancers Amazon Web Services elastic load balancers prefer to have a Pam formatted file I can't think of a single other than Windows that does these pkcs files there might be an advantageous reason to use them I'm not aware of it if you do know of an avid Aegis region reason maybe comment let me know email or or find me on IRC and we can have a nice kind of thoughtful discussion on chat that we may even others can learn from from that all right our final step is going to be taking that certificate let's do CP certificate over onto Etsy let's SSL right yeah certs okay and then this is where Debian prefers and I think even I think Red Hat I'll I like Red Hat a lot probably more than I do WM I did again I also start off with using Debian based machines Debian potato PKI is I think red hats preferred location and we're going to go in copy B server cert over there and then to our private I'm using T MUX right here that's the reason why it's I'm taking a little longer to navigate I would have done control or you can do another so control arrows would move you forward and back one arrow or sorry one word that's rather nice at times when you've got a way to long command that really should not be that long but you end up typing it like myself so let's go ahead and fire up VI and go into and I don't have Emacs on here I'm not going to I on this machine I think you bring it to its knees so let's go ahead and go to a patch e2 and if you're on maybe a Red Hat machine that's going to be httpd and it's going to be sides enabled and I already have one here pre-made a little bit because I did kind of rehearse this just to make sure all my ducks were in a row this is just for a docu wiki kind of thing I'm not even sure if it's actually going to work because I didn't verify I was going to work but I did pre type these commands in here and so let's take note of this okay all right so our certificate file is what we have for our certificate this is what you would get back from the command our last command right here is as this it's generated from the CSR the certificate signing request okay we have our chain file which contains our intermediate cert okay we also have our SSL key which is private we actually want to make sure this is protected and not visible to the world so actually let's go ahead and nip that there WQ I don't think I changed anything [Music] okay one thing I can discuss it let's go ahead and draw 600 it's kinda nice for that I guess and there at least won't be visible to the world let's also do it shown on that because dub-dub-dub data will want to read that it should perfect alright and so let's go ahead and do Serb is patchy restart BAM alright now that's done conquer now let's go ahead and go to one 92168 I get bad it gives us an index let's do HTTPS whoa what is this alright so cool two things we've had done is that we have verified that this is our final verification phase and we're going to go ahead and look to see what the certificate is trying to present us it is presenting us with a host up localism I haven't done anything with the keep the newly generated certificates here on this local machine because this is being done on a Xeon based machine and this is not being done that CI 20 because I fired up Cocker from this local machine here and but it's telling me that this is host up localism is a common name and that's done for something called s in I server what I can't remember entirely what it is but it pretty much says like listen in fact let's go up with an example let's go to kernel org for all the kernel.org will will redirect us to the encrypted site which is nice so let's bring this over let's look at that certificate and look at that the address was kernel.org as saying the common name is kernel.org so that means that the certificate matches the address of what we requested that is important because it means like listen this isn't being done by some intermediary you know we're not being having our ssl being interrupted and re reissued or anything like that this certificate was signed with that that name that common name is pretty important to have that fact some things will even break entirely if you don't so that's why I wanted to make sure that we were we did that and it's given us an ipv6 address because we're using ipv6 here pretty cool so let's go back all right so let's go ahead and we've looked at it the issuer is Kevin remember when I said that we would go back to that and say that hey Kevin was the issuer and like that it's pretty neat that all that there is owned by us and is secure so let's go ahead and close this and continue forever since we want to trust it page loaded is probably in fact I know it's not loading the PHP details for dock you wit but it does work and that's what we're looking for in fact let's get another warm fuzzy because we love them so much and we'd rather have things work and then not let's do in fact I didn't do the verification I have staged here which is before we want to hand it off to the client or someone else we should probably look to see what the this is an old command I need to delete this [Music] this command was the one that works at all I mean the difference there was that I never had a file name examined desert instead I had a file name server cert and this does in fact we grew up too for this this pattern here and that is host out localism and ensure enough that's that's it let's look this whole file some but you know what it looks like and it has the chain of the signing algorithm which will be page up here it is sha-1 is a server algorithm our signature algorithm and awesome so let's go ahead and that would would have been sorry forgive me for that that would have been stepped in to verify and then verify again is our final verification of running this command right here now now the bad one this one I think oh well I don't need command I know I know the command here I just wind it I will be sure to get that into the notes here OpenSSL s underscore client and then we're going to do act we're gonna do 192 168 0 17 : 443 the reason we're doing Connect vs. I think it's host and port is because this way we can do host and port all in one line s kinda need there we go look at that we've got a respond reply and it's a post-up localism is the common name which is pretty important as telling us is a TLS v1 pretty pretty neat this way we don't have to pay SSL vendor for certificates that might never actually see the outside of an other lab I think is pretty important because it's saving some cost or is even generating perhaps you're far more paranoid than anyone else might be in a SSL shop whatever the case may be I hope this video has prepared you for that in which case I wish you well and I will submit other videos that might describe I'm planning on in particular examining the communication with Wireshark - TCP dump examining what it what it looks like from an SSL perspective with Wireshark I think it's incredibly important because packets never lie if those of you that know me say I say that all the time and it's also another saying sa is it's like having debug at the network level and with that I wish you well thank you

Info

Channel: Kevin Faulkner

Views: 17,913

Rating: undefined out of 5

Keywords: Linux, SSL, openSSL, certificate, apache

Id: KXi3-3dEb8k

Channel Id: undefined

Length: 33min 15sec (1995 seconds)

Published: Sat Dec 24 2016