Quick CA for internal LAN

Brandon Rozek

April 18, 2020

Setting up trusted HTTPs inside a network without exposure to the Internet requires creating a Certificate Authority. The audience for this post is oriented for people setting up services in a small low threat model environment. Additional cautions should be applied when setting this up for a business, for example working off an intermediate CA.

We’re going to be using CFSSL, this is Cloudflare’s PKI toolkit to accomplish this. To install on Ubuntu,

sudo apt install golang-cfssl

Creating the CA

This tool makes heavy use of JSON for its configuration. To setup a CA, first let’s create csr_ca.json that contains the following information

{
  "CN": "Common Name",
  "key": {
    "algo": "rsa",
    "size": 2048 
  },
    "names": [
       {
         "C": "US",
         "O": "Orgnaization",
         "OU": "Organizational Unit",
         "ST": "Washington",
         "L": "Locality"
       }
    ]
}

Where C is the two-letter country code and ST is the full state name.

Then to create the certificate authority

cfssl gencert -initca csr_ca.json | cfssljson -bare ca

This will create the following files

Filename Purpose
ca.pem Public Certificate
ca-key.pem Private Key
ca.csr Certificate Signing Request

Creating Certficates

Now we can create SSL certificates for whatever websites we wish by specifying in a file we’ll call csr_client.json

{
  "hosts": [
    "example.com",
    "*.example.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
     {
       "C": "US",
       "O": "Orgnaization",
       "OU": "Organizational Unit",
       "ST": "Washington",
       "L": "Locality"
     }
  ]
}

Then to create the certs,

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem csr_client.json | cfssljson -bare cert

It will create the private key, public certificate, and CSR just like the previous command. By default the certificate will last for one year and has the following usages:

To have more full grained control over the certificate usages and expiry time, I will defer you to the documentation. It involves creating another JSON file to pass as a flag into cfssl gencert.

Trusting the CA

To trust the CA on Linux, you need to copy the ca.pem file over to /usr/local/share/ca-certificates/ and then execute sudo update-ca-certificates. Firefox has its own certificate store that you can add ca.pem to by accessing Preferences->Privacy & Security->Security->Certificates->View Certificates->Authorities->Import. The exact trail might have changed by the time you read this.