CA Certificates

seal, certified seal, certified-1674127.jpg

This is going to be a short post about how to generate CA certificates and import it to store to be used by popular clients such as: chrome or cURL. I'll try to show all main points to go through. Of course, as always, all will be provided with example to make the life easier.

CA Certificates

CA

What is CA (Certificate Authority)? Roughly speaking, this is a special certificate type which are being used to sign a signing requests which finally produces certificates ready to use in i.e. web server.

Get CA - Certificate Authority

The easiest way to get the CA is to download from some secure folder or Vault. This is common way of working in case then you have access to CA which mean you can sign certs by your own.

az keyvault secret show --subscription <SUBSCRIPTION> --vault-name <VAULT> --name <NAME> | jq -r

Unfortunately, in the most cases you are not eligible to have access to CA. Nevertheless, you still can read this post and you will find information for you.

First of all, you have still two options

  • Generate Self-signed CA
  • Ask Security guys to sign your certificate

All these two cases I'll be explaining in the next paragraphs.

Self-signed CA

Self-sign CA certificate is a common practice in the development environments (not for prod). In this case, you have to start with generating a private key.

brass, gradient, key-1293947.jpg
openssl genrsa -des3 -out CA.key 2048

One commend to this. During generating the key you can protect it using password. To check if your private key is additionally encrypted you can find that information at the beginning of the content of the file

$ cat CA.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D8B9F8CD5B599AB3
[...]

Once you have private key generated you are ready to generate CA certificate. To do that please run following command

openssl req -new -x509 -nodes -days 1825 -key CA.key -sha256 -out CA.pem

As a result, we have our own CA. It means that from now we can sign another certificate requests. We can produce as many certificates as we need.

Import CA to store

But hold on for a second. Before you move anywhere you have to do one but really important task. You have to add CA certificate to your store which is used be your client like web browser or cURL

Windows

In Windows we have many options

  • certutil

This is powerful command line tool with many options. We need to get familiar with only two 🙂

To show the imported already CA please run the following command

> certutil -store Root

To import CA (either DER or PEM format) please run the following command

> certutil -addstore "Root" CA.crt
> certutil -addstore "Root" CA.pem
  • certmgr

This is GUI tool (I would call it - clickable). You can examine all the trees with the certificates but the most important is Trusted Root Certification Authorities. This is a please where CA should be placed. Before you try to import the cert inside change the format to DER. Below command will do it for you.

openssl x509 -outform der -in CA.pem -out CA.crt

And that CA.crt you can import to Trusted Root Certification Authorities

  • PowerShell

Yap, no surprise , in Windows you can perform anything using PowerShell. To list the certs you can use Get-ChildItem Swiss army tool 🙂

Get-ChildItem Cert:\LocalMachine\Root

Import aren't over-complicated (Either DER or PEM format)

Import-Certificate -FilePath CA.crt -CertStoreLocation Cert:\LocalMachine\Root
# or
Import-Certificate -FilePath CA.pem -CertStoreLocation Cert:\LocalMachine\Root

Linux

In Linux environment (using cURL) you can fetch page over HTTPS with CA by passing it as a argument.

curl --cacert CA.pem https://your.domain

However, this is not an elegant solution. Much better is to add to store. It was the hardest part for me for ages but some day I spotted that post

Copy your certificate in PEM format into /usr/local/share/ca-certificates and name it with a .crt file extension. Then run sudo update-ca-certificates.

And now you can use curl without additional parameter at least for one more page 🙂

Summary

Having CA in the store and page exposed over HTTPS using certificate signed by our CA you have

  • secured communication
  • no red monit in web browser
  • no asking for certs in cURL

Dodaj komentarz

Twój adres e-mail nie zostanie opublikowany.