Setting up a Certificate Authority on the RPi

One of the things that I have determined that I need in my system is the ability to create security certificates, especially X.509 certs.  I don't want to have to spend money for certifications that I will only be using internally to my network or in connecting to my network.  I can do this by setting up my own Certificate Authority (CA).  A CA is used to create and sign certificates as being authenticate.  Since I am in a controlled environment I can make sure that these certificates are specific to my needs and since I will not be releasing the public CA certificate, will allow me to control access to my network.

I can use the CA to sign certificates to be used with: my internal network connections, openVPN, and IPSec connections from the outside.  In addition, I need to setup a simplified way of creating symetric encryption certificates.  I will only have the CA open long enough to do what I need to do and then I will shut it down and remove it from my network - so it will remain secure from attack from the outside.  I can also use it at work to do my certificates without being connected to a network so it is even more secure.

I used one specific article to setup my Certificate Authority at xxxxx.  I am repeating the steps here for reference purposes:

Make an SSL Certificate Authority and Associated Certificates

(1) Create the Root Key

[Mydev@xxx My_CA]$ mkdir -p MyCA/cert MyCA/key
[Mydev@xxx My_CA]$ cd MyCA
[Mydev@xxx MyCA]$ openssl genrsa -aes256 -out key/Myca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
.......................................................++
....................................................................++
e is 65537 (0x10001)
Enter pass phrase for key/Myca.key.pem:
Verifying - Enter pass phrase for key/Myca.key.pem:
[Mydev@xxx MyCA]$ chmod 400 key/Myca.key.pem
[Mydev@xxx MyCA]$ 

(2) Create the Root Cert

[Mydev@xxx MyCA]$ openssl req -key key/Myca.key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out cert/Mycert.pem
Enter pass phrase for key/Myca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MyState
Locality Name (eg, city) [Default City]:MyTown
Organization Name (eg, company) [Default Company Ltd]:HOME
Organizational Unit Name (eg, section) []:HOME
Common Name (eg, your name or your server's hostname) []:My CERT
Email Address []:myemail@myemail.com
[Mydev@xxx MyCA]$ 

Note: cert/Mycert.pem is the CA's certificate and is public - this needs to be loaded into all clients in the My network.  key/Myca.key.pem is the CA's private key - it is protected by the password MYCAKEYPASSWORD and it should be restricted access so that only root can read it.

(3) Create the First Server key/cert combo

[Mydev@xxx MyCA]$ mkdir myserver1
[Mydev@xxx MyCA]$ openssl genrsa -aes256 -out myserver1/myserver1.My.local.key 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................................++
................................................................................++
e is 65537 (0x10001)
Enter pass phrase for myserver1/myserver1.My.local.key:
Verifying - Enter pass phrase for myserver1/myserver1.My.local.key:
[Mydev@xxx MyCA]$ openssl req -new -key myserver1/myserver1.My.local.key -out myserver1/myserver1.My.local.csrEnter pass phrase for myserver1/myserver1.My.local.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MyState
Locality Name (eg, city) [Default City]:MyTown
Organization Name (eg, company) [Default Company Ltd]:HOME
Organizational Unit Name (eg, section) []:HOME
Common Name (eg, your name or your server's hostname) []:My OPERATOR CERT
Email Address []:myemail@myemail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[Mydev@xxx MyCA]$ openssl x509 -req -days 3650 -in myserver1/myserver1.My.local.csr -CA cert/Mycert.pem -CAkey key/Myca.key.pem -set_serial 01 -out myserver1/myserver1.My.local.crt
Signature ok
subject=/C=US/ST=MyState/L=MyTown/O=HOME/OU=HOME/CN=My OPERATOR CERT/emailAddress=myemail@myemail.com
Getting CA Private Key
Enter pass phrase for key/Myca.key.pem:
[Mydev@xxx MyCA]$ 

(4) Make a passwordless version of the server key

[Mydev@xxx MyCA]$ openssl rsa -in myserver1/myserver1.My.local.key -out myserver1/myserver1.My.local.key.insecure
Enter pass phrase for myserver1/myserver1.My.local.key:
writing RSA key
[Mydev@xxx MyCA]$ mv myserver1/myserver1.My.local.key myserver1/myserver1.My.local.key.secure
[Mydev@xxx MyCA]$ mv myserver1/myserver1.My.local.key.insecure myserver1/myserver1.My.local.key

Note: this passwordless key is the key that we will ultimately use so that we do not need human intervention when trying to use the certs.  Otherwise you type in the cert password everytime you restart the service.

(5) Import the CA and Cert

Note: copy the MyCA/Mycert.pem, myserver1/myserver1.My.local.key, and myserver1/myserver1.My.local.crt files to the server.  The MyCA/Mycert.pem has to be imported into the certificate store - this is the intermediate CA certificate and identifies the myserver1 certs as valid.

(6) Repeat for the Second cert

[Mydev@My-ib6-devel MyCA]$ mkdir myserver2
[Mydev@My-ib6-devel MyCA]$ openssl genrsa -aes256 -out myserver2/myserver2.My.local.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................++
..................................++
e is 65537 (0x10001)
Enter pass phrase for myserver2/myserver2.My.local.key:
Verifying - Enter pass phrase for myserver2/myserver2.My.local.key:
[Mydev@My-ib6-devel MyCA]$ openssl req -new -key myserver2/myserver2.My.local.key -out myserver2/myserver2.My.local.csr
Enter pass phrase for myserver2/myserver2.My.local.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MyState
Locality Name (eg, city) [Default City]:MyTown 
Organization Name (eg, company) [Default Company Ltd]:HOME
Organizational Unit Name (eg, section) []:HOME
Common Name (eg, your name or your server's hostname) []:My MAINTAINER CERT
Email Address []:myemail@myemail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[Mydev@My-ib6-devel MyCA]$ openssl x509 -req -days 3650 -in myserver2/myserver2.My.local.csr -CA cert/Mycert.pem -CAkey key/Myca.key.pem -set_serial 01 -out myserver2/myserver2.My.local.crt
Signature ok
subject=/C=US/ST=MyState/L=MyTown/O=HOME/OU=HOME/CN=My MAINTAINER CERT/emailAddress=myemail@myemail.com
Getting CA Private Key
Enter pass phrase for key/Myca.key.pem:
[Mydev@My-ib6-devel MyCA]$ openssl rsa -in myserver2/myserver2.My.local.key -out myserver2/myserver2.My.local.key.insecure
Enter pass phrase for myserver2/myserver2.My.local.key:
writing RSA key
[Mydev@My-ib6-devel MyCA]$ mv myserver2/myserver2.My.local.key myserver2/myserver2.My.local.key.secure
[Mydev@My-ib6-devel MyCA]$ mv myserver2/myserver2.My.local.key.insecure myserver2/myserver2.My.local.key

(7) Repeat for the Third cert

[Mydev@My-ib6-devel MyCA]$ mkdir myserver3
[Mydev@My-ib6-devel MyCA]$ openssl genrsa -aes256 -out myserver3/myserver3.My.local.key 4096
Generating RSA private key, 4096 bit long modulus
...........................................................................................++
..........++
e is 65537 (0x10001)
Enter pass phrase for myserver3/myserver3.My.local.key:
Verifying - Enter pass phrase for myserver3/myserver3.My.local.key:
[Mydev@My-ib6-devel MyCA]$ openssl req -new -key myserver3/myserver3.My.local.key -out myserver3/myserver3.My.local.csr
Enter pass phrase for myserver3/myserver3.My.local.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MyState
Locality Name (eg, city) [Default City]:MyTown
Organization Name (eg, company) [Default Company Ltd]:HOME
Organizational Unit Name (eg, section) []:HOME
Common Name (eg, your name or your server's hostname) []:My ADMINISTRATOR CERT
Email Address []:myemail@myemail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[Mydev@My-ib6-devel MyCA]$ openssl x509 -req -days 3650 -in myserver3/myserver3.My.local.csr -CA cert/Mycert.pem -CAkey key/Myca.key.pem -set_serial 01 -out myserver3/myserver3.My.local.crt
Signature ok
subject=/C=US/ST=MyState/L=MyTown/O=HOME/OU=HOME/CN=My ADMINISTRATOR CERT/emailAddress=myemail@myemail.com
Getting CA Private Key
Enter pass phrase for key/Myca.key.pem:
[Mydev@My-ib6-devel MyCA]$ openssl rsa -in myserver3/myserver3.My.local.key -out myserver3/myserver3.My.local.key.insecure 
Enter pass phrase for myserver3/myserver3.My.local.key:
writing RSA key
[Mydev@My-ib6-devel MyCA]$ mv myserver3/myserver3.My.local.key myserver3/myserver3.My.local.key.secure
[Mydev@My-ib6-devel MyCA]$ mv myserver3/myserver3.My.local.key.insecure myserver3/myserver3.My.local.key