Wednesday, 4 December 2013

Juniper SRX - PKI - Certificate-based VPNs - Part 01 - Create your own Certificate Authority with Linux

Hi Everyone,

I was having issues getting a fully functional lab setup with PKI to use for testing Cert-based VPN's. I've pieced the following (functional!) steps together from multiple blogs and official OpenSSL documentation. Hopefully you'll find it useful during your studies.

1. Prepare the Server - Make sure to modify the email address field
mkdir -p testCa/{certs,private,newcerts} ; cd testCa/ ; touch index.txt ; echo "01" > serial
echo "subjectAltName=email:your_email_address_here" > x509ext.txt
2. Modify configuration file (/usr/lib/ssl/openssl.cnf) to use our testCA directory, and reduce the "strictness" when signing certificates (or use the one I've hosted here).
[ CA_default ]
dir             = /etc/ssl/testCa       # Where everything is kept

# For the CA policy
[ policy_match ]
stateOrProvinceName = supplied
organizationName = supplied

3. Generate the CA's Private Key (Password Required)
openssl genrsa -des3 -out private/cakey.pem 4096

root@Ubuntu01:/etc/ssl/testCa# openssl genrsa -des3 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:

4. Create the CA's Root Certificate (lasts for 5 years) - Fill in your correct details as required - Do not use underscores as they are not ANS.1 compliant
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0

root@Ubuntu01:/etc/ssl/testCa# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Ottawa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

No comments:

Post a Comment