Thursday, February 25, 2010

Properly Deploying a Private CA Cert in Ubuntu

I think the true strength of the certificate PKI is the ability to set up a CA for your organization and mint your own certs. You get the advantage of proper certificate validation without the cost of paying a third party to validate your identity (snicker).



There are copious sets of instructions on how to create your own CA but I had a very difficult time finding proper instructions on deploying the cert to clients. Most of them simply say, “post it on your web server, visit it in your browser, then click Trust.” That’s fine on your computer but what about a larger organization. Are you going to just tell all your users to do this and expect them to get it done? What about multiple browsers? That kind of solution just doesn’t scale.



In my personal environment my clients are Ubuntu Karmic. I’ve seen some kind of hackish solutions where you put the cert in /etc/ssl/certs then add softlinks or run c_rehash if you’ve read some man pages. After searching the Internet and not getting far I finally started digging through /usr/share/doc/ca-certificates and found the README.Debian file. It states that the proper way to install private CA certs is to put them in /usr/local/share/ca-certificates and ensure that the names end in .crt. Once that’s done you run update-ca-certificates and the appropriate linking is done for you. With that complete you may need to start your various clients but it should be working for your command line web tools and graphical browsers.



I said visiting a URL in the browser and having users click through dialog boxes was unrealistic. Frankly, it’s cumbersome, but is copying the file out to each machine and running a command any better? Because I run cfengine, absolutely! My additions look something like this:




control:

AddInstallable = ( ... NewCACert )
...
directories:
/usr/local/share/ca-certificates owner=root group=root mode=0666
...
files:
...
$(masterfiles)/CA/cacert.pem
dest=/usr/local/share/ca-certificates/lub-dub_CA.crt
mode=0444
owner=root
group=root
inform=true
encrypt=true
define=NewCACert
server=$(policyhost)
...
shellcommands:
...
NewCACert::
"/usr/sbin/update-ca-certificates"


The only thing missing is the fact that while my desktop systems are Ubuntu my server systems are Debian Lenny. The Karmic version of ca-certificates is 20090814 while the Lenny version is only 20070303. The update-ca-certificates script in the Lenny version doesn’t look in /usr/local/share/ca-certificates so I’ve had to add that myself.

No comments:

Post a Comment