Certificates/Become your own CA

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. You can help by expanding it.
Various other pages refer to local setup with a local CA. This subpage will illustrate how to setup a root CA with a. intermediate CA. At least Centralized authentication using OpenLDAP make most sense for small networks run isolated/ at lowest cost. To not repeat the TLS setup in every article link here instead – when ready.
If you roll your own chain of trust and expose root and/ or intermediate CA's key material all trust is gone. Only apply changes to an important system if you follow the recommendations. Weaken any of the links in the chain undermines the security of all systems part of the chain. Effort is necessary to keep the key material safe and secret.

Applies to:

  • small local networks running a critical number of TLS-secured services (HTTP server, message broker, LDAP)
  • mutual TLS for authentication in a local network, esp. hosts that don't have any user input options

Basic steps:

  1. create root CA's private key material, stored offline and externally
  2. create intermediate CA's private key material, stored offline
  3. file CSR of intermediate CA to root CA
  4. root CA signs CSR, intermediate CA's certificate send to intermediate CA
  5. intermediate CA to sign CSRs for server certificates

See also

Now forward links, later backward/ symmetric