Offline CA Server Setup

TL;DR

This guide shows you how to set up a Certificate Authority (CA) on a server with no internet access, allowing you to issue trusted certificates for devices on your local network. We’ll use OpenSSL for this.

Setting Up an Offline CA Server

1. Install OpenSSL: If it isn’t already installed, download and install OpenSSL on your server. The installation process varies depending on your operating system (Windows, Linux etc.).
2. Create a Directory Structure: Create folders to organise your CA files.

   mkdir ca
   cd ca
   mkdir certs
   mkdir newcerts
   mkdir private
   mkdir config

3. Generate the Root Key and Certificate: This is the heart of your CA. It’s crucial to keep this key secure.
   1. Create a Configuration File (openssl.cnf): Place this file in the config directory. A basic example:

      [ ca ]
      default_ca = CA_default
      
      [ CA_default ]
      dir             = ./certs
      certs           = $dir/certs
      newcerts        = $dir/newcerts
      private         = $dir/private
      serial          = $dir/serial
      database        = $dir/index.txt
      config_level    = policy
      policy_engine   = simple_file
      
      [ req ]
      distinguished_name = req_distinguished_name
      req_extensions  = v3_req
      prompt           = no
      
      [ req_distinguished_name ]
      c = GB
      st = England
      l = London
      o = My Organisation
      ou = IT Department
      emailAddress = admin@example.com
      CN = My Root CA
      
      [ v3_req ]
      basicConstraints = critical,CA:TRUE
      keyUsage         = keyCertSign,cRLSign

   2. Generate the Private Key:

      openssl genrsa -out private/ca.key 4096

   3. Generate the Root Certificate (Self-Signed):

      openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt -config config/openssl.cnf

4. Create a Serial Number File: This file keeps track of certificate numbers.

   echo 1000 > serial

5. Issue Certificates to Servers/Clients: For each server or client, you’ll create a Certificate Signing Request (CSR) and then sign it with your CA.
   1. Create a Private Key for the Server/Client:

      openssl genrsa -out private/server.key 2048

   2. Create a CSR:

      openssl req -new -key private/server.key -out server.csr -config config/openssl.cnf

   3. Sign the CSR with your CA:

      openssl ca -extensions v3_req -days 365 -notext -md sha256 -in server.csr -out certs/server.crt -config config/openssl.cnf

6. Distribute Certificates: Copy the signed certificate (server.crt) to the appropriate server or client.
7. Configure Servers/Clients to Use the Certificate: The configuration process depends on the specific application (e.g., Apache, Nginx, OpenVPN). You’ll need to point the application to your server.crt and its corresponding private key (server.key).
8. Trusting the CA Certificate: Clients will need to trust your root CA certificate. This usually involves importing ca.crt into their trusted certificate store. The method varies depending on the operating system or application.

Important Security Notes:

• Keep your CA private key (ca.key) extremely secure! If compromised, anyone can issue certificates that will be trusted by your network. Consider storing it offline on a separate device.
• Regularly review and update your configuration file.