DIY CA to allow NRPE-NG to communicate without errors

Whilst playing with NRPE-NG we found that it complains if it does not have SSL Certificates signed by a Certificate Authority.

This article shows how to build a tiny CA specifically targeted at managing certificates in a testing network.

A simple case



We are creating a trivial CA. Real CA's separate some of the roles (the client would create the CSR and send it to the CA who would return a certificate to the client).


Making a Certificate Authority



The first step is to create the key file. This is the source of all security in the system and should be protected.

openssl genrsa -des3 -passout file:rootCA/rootpassphrase.txt -out rootCA/rootCA.key 4096

To make things easier we create a file which contains a pass phrase and store it in the area we are going to keep safe:

rootCA/rootpassphrase.txt


The next step is to create the self signed certificate based on the key. By default OpenSSL will make a PEM file.

openssl req -x509 -new -nodes -passin file:rootCA/rootpassphrase.txt -subj "/C=AU/ST=Vic/L=Melbourne/O=YourName/OU=SW" -key rootCA/rootCA.key -sha256 -days 10240 -out rootCA/rootCA.pem
This PEM file will be distributed to programs that need to check that a valid certificate is in use.

Making a Certificate



Assuming that we are installing a server with a DNS name of myserver.example.com (this will end up being the Common Name)

Once again we start out by making a key

openssl genrsa -out myserver.example.com.key 2048

We then create a certificate signing request

openssl req -new -sha256 -key myserver.example.com.key -subj "/C=AU/ST=Vic/L=Melbourne/O=YourName/OU=SW/CN=myserver.example.com" -out myserver.example.com.csr

Finally we sign the certificate

openssl x509 -req -in myserver.example.com.csr -passin file:rootCA/rootpassphrase.txt -CA rootCA/rootCA.crt -CAkey rootCA/rootCA.key -CAcreateserial -out myserver.example.com.crt -days 3650 -sha256

We then install the .key, .crt and .pem files on the server.

Important things



The certificate will only work if the common names line up with what the server provides and the client expects. It could be an IP address (be careful if NAT is involved). Other names may be used if a Subject Alternative Name (SAN) is provided.

We have avoided the issue of intermediate certificates.

References




Source Code: