How to Setup a Local CA Server on Ubuntu

|
Last Updated:
|
|

How do I set up a local certificate authority server on Linux? Well, in this tutorial you will learn how to setup a Local CA Server on Ubuntu. You might want to setup a Local CA server for various reasons including to issue private certificates for your users and applications. This will also see you cut costs on the purchases of public certs required for your local usage, as well as giving you control over the digital certificates you issue for local use.

How to Setup a Local CA Server on Ubuntu

In order to setup a local CA (Certificate Authority) server on Linux:

Install OpenSSL on Ubuntu

OpenSSL part of the OpenSSL project’s implementation of the SSL and TLS cryptographic protocols for secure communication over the
Internet. It contains the general-purpose command line binary /usr/bin/openssl, useful for cryptographic operations such as:

  • creating RSA, DH, and DSA key parameters;
  • creating X.509 certificates, CSRs, and CRLs;
  • calculating message digests;
  • encrypting and decrypting with ciphers;
  • testing SSL/TLS clients and servers;
  • handling S/MIME signed or encrypted mail.

The OpenSSL command line binary is usually installed on Linux systems by default. You can check if the binary is available by running the command;

which openssl

It should list the path to binary if the package is installed;

/usr/bin/openssl

If for some unknown reasons the binary is not available, then you can install it by running the command below;

sudo apt update
sudo apt install openssl

Create Directories and Configuration files for your CA

OpenSSL uses openssl.cnf configuration file to define and specify various settings and options when generating digital certificates, private keys, and other cryptographic objects.

First of all, create a root CA directory to store your CA issued certificates, CA’s private key, certificate requests…

mkdir -p /etc/ssl/kifarunixCA/{certs,private,crl,newcerts,csr}

Update some OpenSSL CA Settings in openssl.cnf file

We need to make a few customizations of OpenSSL CA settings such as;

  • Default certificate and private key locations
  • Default certificate authority (CA) information
  • Default encryption algorithms and key lengths
  • Default certificate signing request (CSR) options
  • etc

Thus, copy the default openssl.cnf configuration file to your directory;

cp /etc/ssl/openssl.cnf /etc/ssl/kifarunixCA/

Open your custom openssl.cnf file and edit the [ CA_default ], [ req ], [ req_distinguished_name ] and [ usr_cert ] sections. See our customized sections below;

vim /etc/ssl/kifarunixCA/openssl.cnf
[ ca ]
default_ca      = CA_default

[ CA_default ]

dir             = /etc/ssl/kifarunixCA
certs           = $dir/certs
crl_dir         = $dir/crl              
database        = $dir/index.txt
                            
new_certs_dir   = $dir/newcerts

certificate     = $dir/cacert.pem
serial          = $dir/serial
crlnumber       = $dir/crlnumber        
                                        
crl             = $dir/crl.pem
private_key     = $dir/private/cakey.pem        

x509_extensions = usr_cert              

name_opt        = ca_default
cert_opt        = ca_default            


                                        
default_days    = 3650                  
default_crl_days= 30                    
default_md      = default
preserve        = no      

policy          = policy_match

...
[ req ]
default_bits            = 4096

...
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California

localityName                    = Locality Name (eg, city)
localityName_default            = San Francisco

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Kifarunix, Inc.

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IT Department

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
...
[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = @alt_names
[alt_names] 
DNS.1 = *.kifarunix.com

We also customized the req_distinguished_name section to update the default information about our CA entity. You can leave it so you can supply the information manually or via the -subj openssl command line option e.g;

-subj "/C=US/ST=CA/L=San Francisco/O=Kifarunix, Inc./CN=kifarunix.com"

Save and exit the file. Refer to OpenSSL Docs for more info.

Initialize the CA Database

Initialize the serial (Contains the serial number for the next certificate) file and create the index.txt (Used as a database to track certificates that have been issued);

echo 01 > /etc/ssl/kifarunixCA/serial
touch /etc/ssl/kifarunixCA/index.txt

Note, the index.txt file must initially be completely empty with no white space.

Generate CA/Root Private Key

In order to sign your certificates as your local CA, you will need to generate the CA private key. This can be generated using the command below;

Then, generate and protect the CA root private key and store them in the above directory;

openssl genrsa -aes256 -out /etc/ssl/kifarunixCA/private/cakey.pem 4096

You will be prompted to enter and confirm your passphrase.

Enter PEM pass phrase: PASSPHRASE
Verifying - Enter PEM pass phrase: RE-ENTER PASSPHRASE

You will need to keep this passphrase secured. If it falls on wrong hands, malicious actors may compromise your PKI infrastructure and issue bogus certificates.

Generate CA/Root Certificate

Next, you need to generate your self-signed X.509 CA/Root certificate using the Root private key generated above;

openssl req -new -x509 -sha256 \
-config /etc/ssl/kifarunixCA/openssl.cnf \
-key /etc/ssl/kifarunixCA/private/cakey.pem \
-out /etc/ssl/kifarunixCA/cacert.pem \
-subj "/C=US/ST=California/L=San Francisco/O=Kifarunix, Inc./CN=Kifarunix Inc CA"

You will be prompted to enter the Root private key passphrase. We also provided other CA certificate issuer information using the -subj option.

You can review your CA certificate using the command below;

openssl x509 -in /etc/ssl/kifarunixCA/cacert.pem -text

Generate your Local SSL/TLS Certificate Signing Request (CSR)

You can now generate your local SSL/TLS certificates and sign them using your local CA.

Thus, generate the certificate private key and the Certificate signing request (CSR);

Generate the key for our domain, kifarunix.com;

openssl genrsa -out /etc/ssl/kifarunixCA/private/kifarunix.com.key 4096

You are prompted for a pass-phrase for the key. Provide is and press ENTER to proceed.

Next, generate the CSR;

openssl req -new -key /etc/ssl/kifarunixCA/private/kifarunix.com.key \
-out /etc/ssl/kifarunixCA/csr/kifarunix.com.csr \
-config /etc/ssl/kifarunixCA/openssl.cnf

Sample output;

Enter pass phrase for /etc/ssl/kifarunixCA/private/kifarunix.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [San Francisco]:
Organization Name (eg, company) [Kifarunix, Inc.]:
Organizational Unit Name (eg, section) [IT Department]:
Common Name (e.g. server FQDN or YOUR name) []:*.kifarunix.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign Certificate Requests Using Your CA and Generate TLS Certificates

Next, sign the CSR with your local CA and generate the certificate;

openssl ca -config /etc/ssl/kifarunixCA/openssl.cnf \
 -in /etc/ssl/kifarunixCA/csr/kifarunix.com.csr \
-out /etc/ssl/kifarunixCA/certs/kifarunix-com.crt

When prompted, enter the root CA private key passphrase.

Enter pass phrase for /etc/ssl/kifarunixCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 26 06:07:33 2023 GMT
            Not After : Feb 23 06:07:33 2033 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Kifarunix, Inc.
            organizationalUnitName    = IT Department
            commonName                = *.kifarunix.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                8E:F0:E8:AF:E5:AD:76:3E:C3:58:1D:DC:22:27:85:DC:33:7B:F6:D7
            X509v3 Authority Key Identifier: 
                FD:C0:7C:4C:20:E7:32:0A:3B:F2:E4:96:89:28:A2:48:02:95:75:7E
Certificate is to be certified until Feb 23 06:07:33 2033 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

You now have the SSL/TLS certificate and key (kifarunix.com.crt, kifarunix.com.key) that you can use configure your applications for secure communication.

Configure Web Server to Use your Local SSL/TLS Certificates

To demonstrate this, let’s install a basic apache web server on a test node and configure it to use SSL/TLS;

sudo apt install apache2 -y

Copy the SSL/TLS certificates to your test node;

Create a simple web page;

vim /etc/apache2/sites-available/demo.kifarunix.com.conf
<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName demo.kifarunix.com
                ServerAdmin [email protected]
                DocumentRoot /var/www/html
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile      /etc/ssl/kifarunixCA/certs/kifarunix-com.crt
                SSLCertificateKeyFile /etc/ssl/kifarunixCA/private/kifarunix.com.key
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

Enable the site and disable default;

a2dissite 000-default.conf
a2ensite demo.kifarunix.com.conf

enable SSL module;

a2enmod ssl

Restart Apache;

systemctl restart apache2

Install Root CA Certificate into your Systems

Next, copy the root CA certificate, in our case it is cacert.pem to your systems.

The certificate has to be in CRT format. Hence you can save it on the remote local host as .crt.

cacert.crt

We have already copied this file in CRT format into our local systems.

Install Local CA Root Certificate on your Systems

At this point, you are now ready to generate the SSL/TLS certificates signed by your local CA. However, to ensure that the certificates are trusted by your systems, you need to install the CA Root certificate on them.

Install local CA Root certificate on Ubuntu/Debian Systems;

In Unix-based systems, /usr/local/share/ca-certificates directory is used to store additional CA (Certificate Authority) certificates that are trusted by the system. Any custom CA certificate, you can them here.

To install local CA root certificate on Ubuntu/Debian systems;

sudo apt install -y ca-certificates

Copy your root CA certificate file into the /usr/local/share/ca-certificates directory;

sudo cp ~/cacert.crt /usr/local/share/ca-certificates/

Once you have copied, you need to update the certificate store.

sudo update-ca-certificates

Sample output;

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

On Firefox on Ubuntu, you have to import the certificate manually into the Mozilla Trust store;

Navigate to Settings > Privacy & Security > View Certificates > Import.

Search for the CA certificate on the directory you place and import it and use enable it to Trust this CA to identify websites.

How to Setup a Local CA Server on Ubuntu

Click Ok to import the CA cert.

Restart Browser.

On Chrome, you also need to import the CA certificate. Thus on Chrome URL space space, enter, chrome://settings/certificates;

Click Authorities > Import > search for your CA certificate and import it.

import ca cert on chrome

Click Ok to import.

Restart Chrome browser there after.

Install local CA Root certificate on RHEL Based Systems;

Install ca-certificartes package which contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI.

sudo yum install ca-certificates

Install custom CA Root certificate on RHEL systems by copying your CA certificate file into /etc/pki/ca-trust/source/anchors/ store.

sudo cp cacert.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Tried Firefox browser and it seems to use the system wide trust store on Oracle Linux. Must be same for other RHEL based systems.

How to Setup a Local CA Server on Ubuntu

Install local CA Root certificate on Windows Systems;

You can install a root CA (Certificate Authority) certificate in Windows by just right clicking the certificate (CRT format) and click Install Certificate;

This opens up import wizard;

  • Store Location: Local Machine
How to Setup a Local CA Server on Ubuntu
  • Click Next, select Place all certificates in the following store and choose Trusted Root Certification Authorities.
How to Setup a Local CA Server on Ubuntu
  • Click Next to finish importation of the CA cert.

Access your HTTPS site and confirm that your system can trust the SSL/TLS certs used;

How to Setup a Local CA Server on Ubuntu

And that is it on how to setup a Local CA Server on Ubuntu.

You can now generate your local certificates that can be trusted by your local systems for development purposes.

Other Tutorials

Create Locally Trusted SSL Certificates with mkcert on Ubuntu 20.04

Check SSL Certificate Expiry Date from Certificate File

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Kifarunix
Linux Certified Engineer, with a passion for open-source technology and a strong understanding of Linux systems. With experience in system administration, troubleshooting, and automation, I am skilled in maintaining and optimizing Linux infrastructure.

Leave a Comment