Subordinate CA on Dogtag 10.7 on CentOS 8
This will setup a subordinate CA using Dogtag 10.7 on CentOS 8. This will be a subordibate CA to our root CA (another Dogtag install). This CA will be kept online on and be used to issue certificates to devices and users.
It is assumed that a full DNS system is in place already and that A records are setup for the FQDN of the subordinate CA.
This subordinate will default to being valid for 20 years unless you change it in the steps below.
Subordinate CA
https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate
Overview This page describes the process to install a subordinate CA with an external CA signing certificate.
The process consists of two steps:
Step 1: Generate a CSR to be signed by an external CA. Step 2: Import the CA signing certificate issued by the external CA.
CentOS 8 Install
- Install CentOS 8 minimal on virtual guest (4GB SCSI drive,1GB for install then reduce to 512MB RAM, 1 CPU, add RNG device), set hostname (such as sub-ca.mydomain.com) and a static IP, enable NTP. You'll need to manually create partition layout as Auto will complain of size, once in manual you can choose to create automatically.
- Reboot and perform a yum update + install vim.
dnf update && dnf install vim
Create sudo User + Disable root SSH Access
Create user with password
useradd sudo_username && passwd sudo_username
Add user to wheel group for sudo privileges
usermod -aG wheel sudo_username
Log out of root and into newly created account.
Disable root login over SSH
sudo vim /etc/ssh/sshd_config
Add line
PermitRootLogin no
Restart sshd
sudo systemctl restart sshd
Install Fail2ban
This will help prevent the baddies from brute forcing your SSH password…
Install epel repo, install fail2ban and enable it
sudo dnf install epel-release sudo dnf install fail2ban sudo systemctl enable fail2ban
Create a jail for sshd
sudo vim /etc/fail2ban/jail.d/sshd.local
Add as follows:
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 3600
Restart fail2ban
sudo systemctl restart fail2ban
Configure Directory Server
https://github.com/rharmonson/richtech/wiki/OSVDC-Series:-Root-Certificate-Authority-(PKI)-with-Dogtag-10.3-on-CentOS-7.3.1611
Add firewall exceptions for Dogtag web portal
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent sudo firewall-cmd --reload
Add host entry to /etc/hosts with the root-ca IP and FQDN followed by hostname (the example below assumes the sub-ca has an IP of 192.168.10.31 and a fqdn of sub-ca.mydomain.net)
sudo vim /etc/hosts
Add line for root-ca host as shown below:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.31 sub-ca.mydomain.net sub-ca
The solution components are:
- Dogtag PKI Certificate Authority; pki-ca and dependencies
- Dogtag theme; server theme (optional)
- 389, 389-ds-base; Directory Service
389 is a dependency for Dogtag CA.
- Install 389 and Dogtag PKI-CA. Package dogtag-server-theme is optional, however, if you want to explore the web UI, you need the theme package installed prior to configuration of the Dogtag CA instance.
sudo dnf module enable 389-ds pki-core pki-deps sudo dnf install 389-ds-base pki-ca
The theme package is not available in the CentOS nor EPEL repositories. WTF? Install directly using yum and the URL from the Fedora Project.
sudo dnf install https://rpmfind.net/linux/fedora/linux/releases/32/Everything/x86_64/os/Packages/d/dogtag-pki-server-theme-10.8.3-1.fc32.noarch.rpm
You might need to go to find an current version of the pki-server theme if updates are made, the 10.7.3 package for Fedora core 31 didn't work but the same revision for core 29 did, perhaps stick to that OS release for versions, later this didn't work and I had to use core 32 so it seems it keeps you on your toes…
- Setup 389 Directory Service
Begin setup by executing setup-ds.pl to setup 389. See “Results” for details and note account names and passwords.
sudo dscreate interactive
Results
[sudo] password for sudo_user: Install Directory Server (interactive mode) =========================================== Enter system's hostname [sub-ca.mydomain.net]: Use strict hostname verification (set to "no" if using GSSAPI behind a load balancer) [yes]: Enter the instance name [sub-ca]: Enter port number [389]: Create self-signed certificate database [yes]: Enter secure port number [636]: Enter Directory Manager DN [cn=Directory Manager]: Enter the Directory Manager password: (create a password here and record it as "389 Directory Manager password". Confirm the Directory Manager Password: Enter the database suffix (or enter "none" to skip) [dc=sub-ca,dc=mydomain,dc=net]: Create sample entries in the suffix [no]: Create just the top suffix entry [no]: Do you want to start the instance after the installation? [yes]: Are you ready to install? [no]: yes
Note the password you set for the Directory Manager.
- Enable & Start 389
sudo systemctl enable dirsrv.target sudo systemctl start dirsrv.target sudo systemctl status dirsrv.target
Setup Dogtag CA
Dogtag uses pkispawn for component setup where -s specifies the component to configure.
Familiarize yourself with the Certifcate Profiles if you want to customize the defaults: https://www.dogtagpki.org/wiki/Certificate_Profiles
If you want to understand more about the variables in /etc/pki/default.cfg see here: https://www.systutorials.com/docs/linux/man/5-pki_default.cfg/
For this part of the install we're interested in the System Certficate Profiles found at /usr/share/pki/ca/conf
Since I'm the sole admin for a lot of stuff I don't want to worry about certificate validity periods so I'm going to lengthen the validity period of some key certificates. This isn't best practice and if you have the support shorter is better…
Files to edit at /usr/share/pki/ca/conf along with their initial values and corresponding changes I'm making:
- rsaServerCert.profile; this is the certificate used by the Dogtag Web UI. Change 2.default.params.range from 720 to 3650
- caAudiSigningCert.profile; dunno what this does… Change 2.default.params.range from 720 to 3650
- rsaAdminCert.profile; this is the certificate that you need to install in your browser to access Web UI. Change 2.default.params.range from 720 to 3650
- caOCSPCert.profile; We run OCSP on http so I don't know what this does for us. Change 2.default.params.range from 720 to 3650
- rsaSubsystemCert.profile; dunno… Change 2.default.params.range from 720 to 3650
- caCert.profile; CA signing cert, default validity is 20 years, leave as is.
Edit root-ca-spawn.cfg
sudo vim /usr/share/pki/server/etc/default.cfg
Replace all instances of 2048 with 4096. Vim can do this with :%s/2048/4096/g
Replace all instances of SHA256withRSA with SHA512withRSA. Vim can do this with :%s/SHA256withRSA/SHA512withRSA/g
Step 1 Prepare Initial Config File
Prepare a deployment configuration file for step 1 (e.g. ca-external-step1.cfg):
vim ~/ca-external-step1.cfg
[CA] pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_key_size=4096 pki_ca_signing_key_type=rsa pki_ca_signing_subject_dn=cn=BlueSky Underwear Subordinate CA Signing Cert,ou=Underdevelopment Dept,o=BlueSky Inc pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin #pki_client_database_dir, pki_client_database_password #Location where an NSS token database is created in order to generate a key for the administrative user. #Usually, the data in this location is removed at the end of the installation, #as the keys and certificates are stored in a PKCS #12 file in pki_client_dir. #The pki_client_pkcs12_password is the password you'll use to import the admin certificate into your browser to use the web ui: /root/.dogtag/pki-tomcat/ca_admin_cert.p12; make note of this if you're going to use the web ui. pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 #pki_ds_password should match the Directory Manager password that was create during the 389 install, I think... pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret.123 #pki_token_name, pki_token_password #The token and password where this instance's system certificate and keys are stored. Defaults to the NSS internal software token. pki_security_domain_name=EXAMPLE pki_token_password=Secret.123 pki_external=True pki_external_step_two=False pki_ca_signing_csr_path=ca_signing.csr
Now create the instance based on your config file:
sudo pkispawn -f ca-external-step1.cfg -s CA
Output:
Log file: /var/log/pki/pki-ca-spawn.20190420095728.log
Loading deployment configuration from ca-external-step1.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
==========================================================================
INSTALLATION SUMMARY
==========================================================================
The CA subsystem of the 'pki-tomcat' instance is still incomplete.
NSS database: /etc/pki/pki-tomcat/alias
A CSR for the CA signing certificate has been generated in:
ca_signing.csr
Please obtain the necessary certificate(s) for this subsystem,
and run installation step two.
==========================================================================
It will create an NSS database in /etc/pki/pki-tomcat/alias and generate a CA certificate CSR in ca_signing.csr.
Issuing CA Signing Certificate
Submit the CSR to an external CA:
Submit the request to the root-ca dogtag server under “Manual Certificate Manager Signing Certificate Enrollment”. During the approval of the request, change the “Not After:” date to a date that expires before the root-ca signing certificate, if you don't do this then the install will fail when you go on to step to. Double check your key length (should be 4096) and Signing Algorithm (should be SHA512withRSA), add additional notes at bottom if needed. Once the certificate is issued, copy the PKCS #7 copy and paste it into ca_signing.crt in the same dir as the ca-external-step1.cfg file.
Place the issued CA signing certificate in ca_signing.crt. Export the external CA certificate or certificate chain in external.crt.
Step 2 Completing CA Installation
Prepare a deployment configuration for step 2 (e.g. ca-external-step2.cfg) by copying it from step 1 (i.e. ca-external-step1.cfg) and make the following changes.
Specify step 2 with the following parameter:
pki_external_step_two=True
Specify the externally-signed CA certificate file with the following parameter (its a new line to add, don't rename an existing one)
pki_ca_signing_cert_path=ca_signing.crt
Finally, execute the following command:
sudo pkispawn -f ca-external-step2.cfg -s CA
If you mess up use pkidestroy to remove the failed instance. If you succeeded with step 1 but failed at step 2 you'll need to use pkidestroy to remove the failed instance and start over at step 1 (this includes resubmitting a new CSR)
Output:
Log file: /var/log/pki/pki-ca-spawn.20190420103942.log
Loading deployment configuration from ca-external-step2.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
/tmp/tmpL0IaTo/cert0.crt: CN=Company Name Root CA Signing Cert,OU=IT dept,O=Company Name
/tmp/tmpL0IaTo/cert1.crt: CN=Company Name Subordinate CA Signing Cert,OU=IT,O=Company Name
-------------------------------------------------------------------------------------------
Imported certificate "Company Name Root CA Signing Cert - Company Name"
-------------------------------------------------------------------------------------------
Notice: Trust flag u is set automatically if the private key is present.
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
Administrator's certificate nickname:
caadmin
Administrator's certificate database:
/root/.dogtag/pki-tomcat/ca/alias
To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service
The URL for the subsystem is:
https://sub-ca.domainname.com:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
Copy the installation summary and put it in a document for later reference. This same document should contain all the login info for the Directory Manager, OS user logins, location of machine, details and system certificate info of this root-ca. See end of document for example.
Note the password you set for the caadmin CAAdmin & Dogtab Web UI (optional)
Note: If the DNS name of your CA server isn't a part of any of your other DNS databases, the Web UI might fail when trying to use the fqdn instead of IP. To fix this just replace the fqdn with the IP as needed.
Note: If you want to use the Dogtab web UI, import the user authentication certificate for caadmin. Using CentOS 7 Workstation or Fedora 24 Workstation copy the caadmin certificate to the workstation then add it to Firefox's user certificates. If you receive an authentication error or “You did not provide a valid certificate for this operation” when browsing to “https://host.domain.net:8443/ca” then you have not used caadmin's authentication certificate for privileged access.
The caadmin certificate can be found in /root/.dogtag/pki-tomcat/ca_admin_cert.p12. Copy to an admin workstation using scp root@<ip address or hostname:/root/.dogtag/pki-tomcat/ca_admin_cert.p12. If using sudo then you'll need to copy the p12 file to the sudo users home dir then chown it to the sudo usr and scp it from there.
Import the certificate into Firefox by selecting menu, Preferences, Advanced, View Certificates, Your Certificates, then Import. Once complete, you will find “PKI Administrator” under “Your Certificates.” When it prompts you for the password it will be the password you specified in the ca-external-step1.cfg on line pki_client_pkcs12_password.
Extend the CRL interval:
sudo systemctl stop pki-tomcatd@pki-tomcat.service sudo vim /etc/pki/pki-tomcat/ca/CS.cfg
find and change
ca.crl.MasterCRL.autoUpdateInterval=240
to
ca.crl.MasterCRL.autoUpdateInterval=5256000
and
ca.crl.MasterCRL.enableDailyUpdates=false
Extend the Other Certificate default period (we use this for Windows domain controllers) https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-system-cert-lifetime.html
sudo vim /var/lib/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg
find all instances of 720 and change them to 3650
policyset.otherCertSet.2.constraint.params.range=3650 policyset.otherCertSet.2.default.params.range=3650
Do this for the Domain Controller template as well
sudo vim /var/lib/pki/pki-tomcat/ca/profiles/ca/DomainController.cfg
Here you're changing 1825 to 3650.
sudo systemctl start pki-tomcatd@pki-tomcat.service
Download latest CRL: https://ip.add.res:8443/ca/ee/ca/DisplayCRL.html and save it in your documentation folder.
Go to https://ip.add.res:8443/ca/ee/ca/ → Retrieval → Import CA Certificate Chain → download each of the certificate formats and save it to your documentation folder.
Note: as of 04/10/19, after reboot the pki-tomcatd@pki-tomcat service doesn't come back up automatically, start it manually with systemctl start pki-tomcatd@pki-tomcat.service
Or add the crontab entry
@reboot systemctl restart pki-tomcatd@pki-tomcat.service
Example Documention Template
Role: Offline root certification authority via Dogtag 10.5
OS: CentOS 7
Location: Virtual Guest
IP: 10.254.157.240
user: root | superSecretPasswordA
user: camden | superSecretPasswordB
389 directory server instance: root-ca
389 Directory Manager password: superSecretPasswordW
Certificate administrator account and password: caadmin | superSecretPasswordX
URL: https://root-ca.domainname.com:8443/
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service
The URL for the subsystem is:
https://root-ca.domainname.com:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
System Certificates
Serial Expires Certificate
0x1 04/18/2039 CN=Company Name Root CA Signing Cert,OU=IT dept,O=Company Name
0x2 04/15/2029 CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x3 04/15/2029 CN=root-ca.domainname.com,OU=pki-tomcat,O=domainname.com Security Domain
0x4 04/15/2029 CN=Subsystem Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x5 04/15/2029 CN=CA Audit Signing Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x6 04/15/2029 CN=PKI Administrator,E=admin@domainname.com,OU=pki-tomcat,O=domainname Security Domain
Verification
Verifying system certificates
If the HSM is used, the internal token will have the following certificates:
$ certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - ROOT CT,C,C
ca_signing CT,C,C
ca_audit_signing ,,P
and the HSM will have the following certificates:
$ certutil -L -d /etc/pki/pki-tomcat/alias -h HSM -f password.txt
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
HSM:ca_ocsp_signing u,u,u
HSM:sslserver/server.example.com u,u,u
HSM:ca_signing u,u,u
HSM:subsystem u,u,u
HSM:ca_audit_signing u,u,u
Verifying CA admin
Prepare a client NSS database:
$ pki -c Secret.123 client-init
Import the CA certificate chain:
$ pki -c Secret.123 client-cert-import "CA Signing Certificate - ROOT" --ca-cert cert_chain.crt
Import the subordinate CA signing certificate:
$ pki -c Secret.123 client-cert-import "CA Signing Certificate - EXAMPLE" --ca-cert ca_signing.crt
Import CA admin certificate and key:
$ pki -c Secret.123 client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
Execute the following command:
$ pki -c Secret.123 -n caadmin ca-user-find
pki -c pass123! client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf