How to Create a Certificate Authority (CA) on Ubuntu 20.04

Certificate Authority (CA) is an entity responsible for issuing digital certificates to make communication secure. Its acts as a trusted third party to the owner of the certificate and the party relying upon the certificate.

Certificate Authority entity could be either public or private. Public CAs are commonly used to verify the identity of websites and private CAs are used for generating certificates for a Client-to-Site VPN, users, internal servers, or individual programs and services within your infrastructure such as local web servers.

In this tutorial, we learn how to create a private certificate authority (CA) on Ubuntu 20.04. Here we are using easy-rsa CLI utility to build and manage the CA Server.

Pre-requisites

  • A node with Ubuntu 20.04 to host CA Server
  • A user with sudo privilege

Step 1: Update your system

First, update your Ubuntu system, run the following command:

apt update

You can skip this step if you are installing easy-rsa from the official repo.

Step 2: Install Easy-RSA on the CA server

Easy-RSA is a command-line tool that significantly facilitates the establishment of a certificate authority (CA) and the management of certificates. It generates a private key and public root certificate.

Easy-RSA is available in the default apt repository. To have the latest version install from the official easy-rsa GitHub repository.

Download the Easy-RSA PKI management tool from Github:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

Here have downloaded version 3.0.8. Now let's move the file to the /opt folder

sudo mv EasyRSA-3.0.8.tgz /opt

Now change directory to /opt:

cd /opt

Run the following command to uncompress the .tgz file:

sudo tar xvf EasyRSA-3.0.8.tgz

Rename the directory using the mv command:

sudo mv EasyRSA-3.0.8 easy-rsa

Now make the non-root user the owner of the directory:

sudo chown -R franck:franck easy-rsa/ 

Restrict access to PKI directory, only for the owner:

sudo chmod 700 easy-rsa

Step 3: Setup the CA Server

Here we will set up the public key infrastructure directory and create a public/private certificate for the CA server.

Now change the directory to easy-rsa which was created earlier:

cd easy-rsa

We will create a vars file that will be used to store the organization information

$ cp vars.example vars

Now add the organization information at the end of the file

$ vim vars
set_var EASYRSA_REQ_COUNTRY    "CM"
set_var EASYRSA_REQ_PROVINCE   "Centre"
set_var EASYRSA_REQ_CITY       "Yaounde"
set_var EASYRSA_REQ_ORG        "LINUXSHARE"
set_var EASYRSA_REQ_EMAIL      "admin@linuxshare.com"
set_var EASYRSA_REQ_OU         "Com"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"

Now we will initialize the Public Key Infrastructure directory:

$ ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
 init-pki complete; you may now create a CA or requests.
 Your newly created PKI dir is: /opt/easy-rsa/pki

To generate the root public and private key pair for the CA server, type:

$ ./easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
 Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
 Enter New CA Key Passphrase: 
 Re-Enter New CA Key Passphrase: 
 read EC key
 writing EC key
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
 CA creation complete and you may now import and sign cert requests.
 Your new CA certificate file for publishing is at:
 /opt/easy-rsa/pki/ca.crt

You will be asked to enter a passphrase for the key pair anytime that you will need to sign or revoke a certificate. You will also be asked for the Common Name (CN) for your CA, you can use the default one if you want.

The operation will create two main files:

  • The public certificate file ca.crt file that the servers and clients will use to verify that they are on the same perimeter of trust
  • The private key file ca.key in the pki/private directory the CA uses to sign the certificates of the servers and the clients

Step 4: Import CA public certificate

Now we got the public certificate generated, we need to import it onto another server.

Login to the server on which you would like to import the certificate, then perform a remote copy of ca.crt file from the CA server.

scp franck@X.Y.Z.T:/opt/easy-rsa/pki/ca.crt
The authenticity of host 'X.Y.Z.T (X.Y.Z.T)' can't be established.
 ECDSA key fingerprint is SHA256:ffUgP5/d0Z3miOKqxBVoF9JbFvIZFs/gxr7ESBZ0kmQ.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added '139.177.204.145' (ECDSA) to the list of known hosts.
 franck@X.Y.Z.T's password: 
 ca.crt                                                                                                           100%  749     2.4KB/s   00:00

Move the certificate file to the /usr/local/share/ca-certificates/ directory:

sudo mv ca.crt /usr/local/share/ca-certificates/

Now import the CA Server’s certificate using the following command:

sudo update-ca-certificates
Updating certificates in /etc/ssl/certs…
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…
done.

With that, your server will now trust the certificates that have been signed by your CA server.

Step 5: Create the server certificate request and the private key

We can create some Certificate Signing Requests (CSR) on a different server to have our CA sign those requests.

We will use OpenSSL to create CSR file. If OpenSSL is not installed, use the following command to install it:

sudo apt install openssl

Create a directory named server1-csr to keep the CSR and private key

mkdir server1-csr

Change to server1-csr directory

cd server1-csr

Now generate the private key using OpenSSL:

openssl genrsa -out server1.key
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
..................................................+++++
e is 65537 (0x010001)

You can generate the corresponding CSR using the key generated:

$ openssl req -new -key server1.key -out server1.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CM
State or Province Name (full name) [Some-State]:CE
Locality Name (eg, city) []:Yaounde
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LinuxShare
Organizational Unit Name (eg, section) []:Tech-B
Common Name (e.g. server FQDN or YOUR name) []:server1
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:

Now you need to copy the CSR file to the CA server:

$ scp server1.req scp franck@X.Y.Z.T:/tmp/server1.req

Step 6: Sign the Server CSR on the CA server

The CSR generated should be signed by the CA server. For that first move to the easy-rsa directory to import the certificate sign request of the server.

./easyrsa import-req /opt/sign-cert/server1.req server1
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
The request has been successfully imported with a short name of: server1
You may now use this name to perform signing operations on this request.

Now sign the CSR using the following command:

./easyrsa sign-req server server1
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
 Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
 You are about to sign the following certificate.
 Please check over the details shown below for accuracy. Note that this request
 has not been cryptographically verified. Please be sure it came from a trusted
 source or that you have verified the request checksum with the sender.
 Request subject, to be signed as a server certificate for 825 days:
 subject=
     countryName               = CM
     stateOrProvinceName       = CE
     localityName              = Yaounde
     organizationName          = LinuxShare
     organizationalUnitName    = Tech-B
     commonName                = server1
 Type the word 'yes' to continue, or any other input to abort.
   Confirm request details: yes
 Using configuration from /opt/easy-rsa/pki/easy-rsa-161486.BI2HwH/tmp.lIqZoF
 Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 countryName           :PRINTABLE:'CM'
 stateOrProvinceName   :ASN.1 12:'CE'
 localityName          :ASN.1 12:'Yaounde'
 organizationName      :ASN.1 12:'LinuxShare'
 organizationalUnitName:ASN.1 12:'Tech-B'
 commonName            :ASN.1 12:'server1'
 Certificate is to be certified until Jan  5 16:57:26 2024 GMT (825 days)
 Write out database with 1 new entries
 Data Base Updated
 Certificate created at: /opt/easy-rsa/pki/issued/server1.crt

From the output you can see the certificate issued under the /opt/easy-rsa/pki/issued/ directory. You can also verify the certificate by listing it:

$ ls -l /opt/easy-rsa/pki/issued

Output:

total 4
 -rw------- 1 franck franck 3996 Oct  2 16:57 server1.crt

With all those steps, you are capable to manage your certificates by yourself for your internal servers. With your CA server, you can sign the certificates for your web servers or for a VPN tunnel for example with OpenVPN.

Note: For security reasons, it's recommended not to run any other services on a CA Server. It should be only used to import, sign, and revoke certificate requests as a stand-alone server.

Conclusion

In this tutorial, we learned how to create a private certificate authority (CA) on Ubuntu 20.04. Thanks for reading, please provide your feedback and suggestions in the comment section.

Leave a Comment