How To Setup a Certificate Authority (CA) on Debian?

This post will show how to setup a Certificate Authority (CA) on Debian, to generate and manage trusted certificates.

Table of Contents
  1. What is a Certificate Authority (CA)?
  2. Steps to Set Up a Certificate Authority (CA) on Debian

What is a Certificate Authority (CA)?

A Certificate Authority (CA) is an organization or entity that issues digital certificates, which are used to verify the identity of entities (like websites, organizations, or individuals) and establish secure communication through encryption.

  • Digital Certificates: CA provides Digital Certificates that contain a public key and information about the entity that owns it, like the domain name, and organization details, with the CA’s signature.
  • Trust: Browsers or other systems inherently trust certificates issued by reputable CAs. If a certificate is signed by a CA, it means the entity behind it has been verified by that CA as legitimate.
  • Encryption: CAs help facilitate secure communication by supporting Public Key Infrastructure (PKI). Therefore, allowing users and websites to exchange information privately through encryption.

Although it is a good option to use Digital Certificates issued by a well-known CA such as DigiCert, Let’s Encrypt, and GlobalSign for communication over the internet between the general public, private groups, and production environments, a Private CA is a better and economical option.

Note: – A user must have sudo privileges on the CA Server. [LINK to POST add SUDO GROUP]

Step to Setup a Certificate Authority (CA) on Debian:

Step-1: Install Easy-RSA

Easy-RSA is a command-line tool that simplifies the process of managing a Public Key Infrastructure (PKI). It is typically used for creating and managing SSL/TLS certificates. Whereas, Easy-RSA can help you set up your certificate authority (CA), by generating the root private key and self-signed root certificate.

To install Easy-RSA on the Debian Server, use the command below:

$> sudo apt install easy-rsa
install Easy-RSA on the Debian Server
Step-2: Setup and Initialize Public Key Infrastructure (PKI) Directory:

1. Setup PKI Directory:

There are two methods to setup the PKI directory,
Method-1. Manual Method
Method-2. Automated Method

Method-1: Manual Setup to setup PKI Directory

i. Create PKI Directory:

$> mkdir ~/easy-rsa

ii. Symlink the PKI Directory:

$> ln -s /usr/share/easy-rsa/* ~/easy-rsa/

Alternately, you may copy the contents of /usr/share/easy-rsa (Easy-RSA package) directory, but here we opt for the symlink approach such that updating the easy-rsa packages will automatically update the contents of the ~/easy-rsa directory.

iii. Restrict Access to the PKI Directory:

$> chmod 700 ~/easy-rsa

This command restricts the read, write, and execute permission only to the owner of the directory.

Creating PKI Directory
Method 2: Automated Setup

1. Use the command below to setup the PKI Directory:

    $> make-cadir ~/easy-rsa
    Create PKI Directory

    2. Change the current working directory to PKI Directory:

    $> cd ~/easy-rsa
    change working directory

    3. Initialize the PKI inside the PKI Directory:

    Use the command below to run the Easy-RSA script to Initialize PKI:

    $> ./easyrsa init-pki

    This command will initialize a PKI (~/easy-rsa/pki) with all the files that are needed to create a Certificate Authority.

    initialize PKI
    Step 3: Create a Certificate Authority (CA)

    1. Configure the CA Variables:

    Edit the vars file using the nano text editor, to set your Certificate Authority (CA) variables:

    $> nano vars
    editing vars file

    Uncomment and adjust the following lines to match your organizational details:

    set_var EASYRSA_REQ_COUNTRY    "India"
    set_var EASYRSA_REQ_PROVINCE   "Delhi"
    set_var EASYRSA_REQ_CITY       "New Delhi"
    set_var EASYRSA_REQ_ORG        "YourOrganization"
    set_var EASYRSA_REQ_EMAIL      "[email protected]"
    set_var EASYRSA_REQ_OU         "YourOrganizationalUnit"
    editing vars file

    2. Build Certificate Authority (CA):

    $> ./easyrsa build-ca nopass

    Basically, the nopass option avoids setting a password for the CA, simplifying the process. If you choose to add a password for the CA omit nopass option, then you will be required to enter a password every time you sign a certificate.

    After running the above command you will have two important files, which make up the public and private components of a Certificate Authority:

    •  ~/easy-rsa/pki/ca.crt : CA’s Public Certificate
    • ~/easy-rsa/pki/private/ca.key : CA’s Private Key [to be kept secure]
    building ca
    building ca
    Step-4: Distribute Certificate Authority’s Public Certificate

    1. Share the Public Key with the Client:

    On the CA Server use the command below.

    $> scp ~/easy-rsa/pki/ca.crt [Client Username]@[Client IP]:/tmp

    Replace [Client Username] and [Client IP] with the Client’s Username and IP Address respectively.

    The above command will share a copy of the Public Certificate with the Client and store it in the /tmp directory on the Client’s System.

    2. Import the Public Certificate into the Client’s Certificate Store:

    On the Client System use the commands below:

    For Debain-based Systems use:

$> sudo cp /tmp/ca.crt /usr/local/share/ca-certificates/

$> sudo update-ca-certificates
    For CentOS, Fedora and Red-Hat Systems use:

$> sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/

$> sudo update-ca-trust

    Now the Client’s System will trust any certificate that has been signed by the Private CA server.

    Now, the next step is to request and generate digital certificates for your applications: How to Generate a Digital Certificate on Debian [LINK].