DIY CA to allow NRPE-NG to communicate without errors
05/12/19 13:10 Filed in: Software Engineering | Security
Whilst playing with NRPE-NG we found that it complains if it does not have SSL Certificates signed by a Certificate Authority.
This article shows how to build a tiny CA specifically targeted at managing certificates in a testing network.
This article shows how to build a tiny CA specifically targeted at managing certificates in a testing network.
A simple case
We are creating a trivial CA. Real CA's separate some of the roles (the client would create the CSR and send it to the CA who would return a certificate to the client).
Making a Certificate Authority
The first step is to create the key file. This is the source of all security in the system and should be protected.
openssl genrsa -des3 -passout file:rootCA/rootpassphrase.txt -out rootCA/rootCA.key 4096
To make things easier we create a file which contains a pass phrase and store it in the area we are going to keep safe:
rootCA/rootpassphrase.txt
The next step is to create the self signed certificate based on the key. By default OpenSSL will make a PEM file.openssl req -x509 -new -nodes -passin file:rootCA/rootpassphrase.txt -subj "/C=AU/ST=Vic/L=Melbourne/O=YourName/OU=SW" -key rootCA/rootCA.key -sha256 -days 10240 -out rootCA/rootCA.pem
This PEM file will be distributed to programs that need to check that a valid certificate is in use.
Making a Certificate
Assuming that we are installing a server with a DNS name of myserver.example.com (this will end up being the Common Name)
Once again we start out by making a key
openssl genrsa -out myserver.example.com.key 2048
We then create a certificate signing request
openssl req -new -sha256 -key myserver.example.com.key -subj "/C=AU/ST=Vic/L=Melbourne/O=YourName/OU=SW/CN=myserver.example.com" -out myserver.example.com.csr
Finally we sign the certificate
openssl x509 -req -in myserver.example.com.csr -passin file:rootCA/rootpassphrase.txt -CA rootCA/rootCA.crt -CAkey rootCA/rootCA.key -CAcreateserial -out myserver.example.com.crt -days 3650 -sha256
We then install the .key, .crt and .pem files on the server.
Important things
The certificate will only work if the common names line up with what the server provides and the client expects. It could be an IP address (be careful if NAT is involved). Other names may be used if a Subject Alternative Name (SAN) is provided.
We have avoided the issue of intermediate certificates.
References
- https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce
- https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
- https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
Source Code: