Root CA on Dogtag 10.8 on CentOS 8
This will setup a root CA using Dogtag 10.8 on CentOS 8. Once setup and the initial certificates issued to subordinate CAs it should be shut down and backed up. The root CA certificate will be valid for 20 years.
It is assumed that a full DNS system is in place already and that A records are setup for the FQDN of the root CA.
CentOS 8 Install
- Install CentOS 8 minimal on virtual guest (4GB SCSI drive, 1GB for install then reduce to 512MB RAM, 1 CPU, add RNG device), set hostname (such as root-ca.mydomain.com) and a static IP, enable NTP. You'll need to manually create partition layout as Auto will complain of size, once in manual you can choose to create automatically. (encrypting the install would be a good idea in case someone turned it on accidentally)
- Reboot and perform a yum update + install vim.
dnf update && dnf install vim
Create sudo User + Disable root SSH Access
Create user with password
useradd sudo_username && passwd sudo_username
Add user to wheel group for sudo privileges
usermod -aG wheel sudo_username
Log out of root and into newly created account.
Disable root login over SSH
sudo vim /etc/ssh/sshd_config
Add line
PermitRootLogin no
Restart sshd
sudo systemctl restart sshd
Install Fail2ban
This will help prevent the baddies from brute forcing your SSH password… well this is supposed to be an offline CA but caution is always warranted for root anything.
Install epel repo, install fail2ban and enable it
sudo dnf install epel-release sudo dnf install fail2ban sudo systemctl enable fail2ban
Create a jail for sshd
sudo vim /etc/fail2ban/jail.d/sshd.local
Add as follows:
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 600
Restart sshd
sudo systemctl restart fail2ban
Configure Directory Server
https://github.com/rharmonson/richtech/wiki/OSVDC-Series:-Root-Certificate-Authority-(PKI)-with-Dogtag-10.3-on-CentOS-7.3.1611
The purpose of this guide is to provide instructions on building an off-line Root Certificate Authority (CA) to issue Subordinate CA certificates. My specific use case is for use with FreeIPA, but it is applicable, generally, for any internal PKI implementation.
Why off-line? A Root CA should not be accessible and should be a carefully guarded asset. If an unauthorized individual obtained the Root CA private key, the entire PKI system is compromised. Best case, the PKI will need to be demolished, a new one built, and all certificates replaced. Depending on the size of your organization and the prevalence of certificates, recovery could be a lengthy and costly endeavor.
Add firewall exceptions for Dogtag web portal
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent sudo firewall-cmd --reload
Add host entry to /etc/hosts with the root-ca IP and FQDN followed by hostname (the example below assumes the root-ca has an IP of 192.168.10.30 and a fqdn of root-ca.mydomain.net)
sudo vim /etc/hosts
Add line for root-ca host as shown below:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.30 root-ca.mydomain.net root-ca
The solution components are:
- Dogtag PKI Certificate Authority; pki-ca and dependencies
- Dogtag theme; server theme (optional)
- 389, 389-ds-base; Directory Service
389 is a dependency for Dogtag CA.
- Install 389 and Dogtag PKI-CA. Package dogtag-server-theme is optional, however, if you want to explore the web UI, you need the theme package installed prior to configuration of the Dogtag CA instance.
sudo dnf module enable 389-ds pki-core pki-deps sudo dnf install 389-ds-base pki-ca
The theme package is not available in the CentOS nor EPEL repositories. WTF? Install directly using yum and the URL from the Fedora Project.
sudo dnf install https://rpmfind.net/linux/fedora/linux/releases/32/Everything/x86_64/os/Packages/d/dogtag-pki-server-theme-10.8.3-1.fc32.noarch.rpm
You might need to go to find an current version of the pki-server theme if updates are made, the 10.7.3 package for Fedora core 31 didn't work but the same revision for core 29 did, perhaps stick to that OS release for versions, later this didn't work and I had to use core 32 so it seems it keeps you on your toes…
- Setup 389 Directory Service
Begin setup by executing setup-ds.pl to setup 389. See “Results” for details and note account names and passwords.
sudo dscreate interactive
Results
[sudo] password for sudo_user: Install Directory Server (interactive mode) =========================================== Enter system's hostname [root-ca.mydomain.net]: Use strict hostname verification (set to "no" if using GSSAPI behind a load balancer) [yes]: Enter the instance name [root-ca]: Enter port number [389]: Create self-signed certificate database [yes]: Enter secure port number [636]: Enter Directory Manager DN [cn=Directory Manager]: Enter the Directory Manager password: (create a password here and record it as "389 Directory Manager password". Confirm the Directory Manager Password: Enter the database suffix (or enter "none" to skip) [dc=root-ca,dc=mydomain,dc=net]: Create sample entries in the suffix [no]: Create just the top suffix entry [no]: Do you want to start the instance after the installation? [yes]: Are you ready to install? [no]: yes
sudo systemctl enable dirsrv.target sudo systemctl start dirsrv.target sudo systemctl status dirsrv.target
Setup Dogtag CA
Dogtag uses pkispawn for component setup where -s specifies the component to configure.
Familiarize yourself with the Certifcate Profiles if you want to customize the defaults: https://www.dogtagpki.org/wiki/Certificate_Profiles
If you want to understand more about the variables in /etc/pki/default.cfg see here: https://www.systutorials.com/docs/linux/man/5-pki_default.cfg/
For this part of the install we're interested in the System Certficate Profiles found at /usr/share/pki/ca/conf
Since I'm the sole admin for a lot of stuff I don't want to worry about certficate validity periods so I'm going to lengthen the validity period of some key certificates. This isn't best practice and if you have the support shorter is better…
Files to edit at /usr/share/pki/ca/conf along with their initial values and corresponding changes I'm making:
- rsaServerCert.profile; this is the certificate used by the Dogtag Web UI. Change 2.default.params.range from 720 to 3650
- caAuditSigningCert.profile; used for signing audit logs? Change 2.default.params.range from 720 to 3650
- rsaAdminCert.profile; this is the certificate that you need to install in your browser to access Web UI. Change 2.default.params.range from 720 to 3650
- caOCSPCert.profile; I think this signs responses to OCSP requests. Change 2.default.params.range from 720 to 3650
- rsaSubsystemCert.profile; dunno… Change 2.default.params.range from 720 to 3650
- caCert.profile; CA signing cert, default validity is 20 years, leave as is.
Edit root-ca-spawn.cfg
sudo vim /usr/share/pki/server/etc/default.cfg
Replace all instances of 2048 with 4096. Vim can do this with :%s/2048/4096/g
Replace all instances of SHA256withRSA with SHA512withRSA. Vim can do this with :%s/SHA256withRSA/SHA512withRSA/g
Find the following line:
pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
Change it to to make it a little more personal, but be sure to make the root-ca cn different from any sub-ca cn.
Example for root-ca (note, don't use a , anywhere in the name as it will cause the install to fail, e.g. Company Name, LLC):
pki_ca_signing_subject_dn=cn=BlueSky Underwear Root CA Signing Cert,ou=Underdevelopment Dept,o=BlueSky Inc
Create new CA instance:
sudo pkispawn -s CA
Results if using defaults:
IMPORTANT:
Interactive installation currently only exists for very basic deployments!
For example, deployments intent upon using advanced features such as:
* Cloning,
* Elliptic Curve Cryptography (ECC),
* External CA,
* Hardware Security Module (HSM),
* Subordinate CA,
* etc.,
must provide the necessary override parameters in a separate
configuration file.
Run 'man pkispawn' for details.
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password: (this is the password you'll use to import the certificate into your web browser)
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [ca.mydomain.net]:
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password: (this is the password you set when setting up the directory server, the 389 Directory Manager password)
Base DN [o=pki-tomcat-CA]:
Security Domain:
Name [mydomain.net Security Domain]:
Begin installation (Yes/No/Quit)? yes
Log file: /var/log/pki/pki-ca-spawn.20170221192332.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service
The URL for the subsystem is:
https://ca.mydomain.net:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
Copy the installation summary and put it in a document for later reference. This same document should contain all the login info for the Directory Manager, OS user logins, location of machine, details and system certificate info of this root-ca. See end of document for example.
Note the password you set for the caadmin CAAdmin & Dogtab Web UI (optional)
If you messed up or the install failed simply destroy the instance with
sudo pkidestroy -s CA -i pki-tomcat
Note: If the DNS name of your CA server isn't a part of any of your other DNS databases, the Web UI might fail when trying to use the fqdn instead of IP. To fix this just replace the fqdn with the IP as needed.
Note: If you want to use the Dogtab web UI, import the user authentication certificate for caadmin. Using CentOS 7 Workstation or Fedora 24 Workstation copy the caadmin certificate to the workstation then add it to Firefox's user certificates. If you receive an authentication error or “You did not provide a valid certificate for this operation” when browsing to “https://host.domain.net:8443/ca” then you have not used caadmin's authentication certificate for privileged access.
The caadmin certificate can be found in ~/.dogtag/pki-tomcat/ca_admin_cert.p12. Copy to an admin workstation using scp root@<ip address or hostname:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
Import the certificate into Firefox by selecting menu, Preferences, Advanced, View Certificates, Your Certificates, then Import. Once complete, you will find “PKI Administrator” under “Your Certificates.”
Extend the CRL interval:
sudo systemctl stop pki-tomcatd@pki-tomcat.service sudo vim /etc/pki/pki-tomcat/ca/CS.cfg
find and change
ca.crl.MasterCRL.autoUpdateInterval=240
to
ca.crl.MasterCRL.autoUpdateInterval=5256000
and
ca.crl.MasterCRL.enableDailyUpdates=false
Optionally extend the Other Certificate default period if you aren't creating a sub CA (we use this for Windows domain controllers) https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-system-cert-lifetime.html
vim /var/lib/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg
find all instances of 720 and change them to 3650
policyset.otherCertSet.2.constraint.params.range=3650 policyset.otherCertSet.2.default.params.range=3650
Start the PKI instance
sudo systemctl start pki-tomcatd@pki-tomcat.service
Download latest CRL: https://ip.add.res:8443/ca/ee/ca/DisplayCRL.html
Note: as of 04/10/19, after reboot the pki-tomcatd@pki-tomcat service doesn't come back up automatically, start it manually with sudo systemctl start pki-tomcatd@pki-tomcat.service
Example Documention Template
Role: Offline root certification authority via Dogtag 10.5
OS: CentOS 7
Location: Virtual Guest
IP: 10.254.157.240
user: root | superSecretPasswordA
user: camden | superSecretPasswordB
389 directory server instance: root-ca
389 Directory Manager password: superSecretPasswordW
Certificate administrator account and password: caadmin | superSecretPasswordX
URL: https://root-ca.domainname.com:8443/
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service
The URL for the subsystem is:
https://root-ca.domainname.com:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
System Certificates
Serial Expires Certificate
0x1 04/18/2039 CN=Company Name Root CA Signing Cert,OU=IT dept,O=Company Name
0x2 04/15/2029 CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x3 04/15/2029 CN=root-ca.domainname.com,OU=pki-tomcat,O=domainname.com Security Domain
0x4 04/15/2029 CN=Subsystem Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x5 04/15/2029 CN=CA Audit Signing Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x6 04/15/2029 CN=PKI Administrator,E=admin@domainname.com,OU=pki-tomcat,O=domainname Security Domain