CA Website

As we need a place to inform our users about the CA, distribute our certificates and publish revocation information, we create a website.

IP Addresses

In this example we use 192.0.2.28 and 2001:db8:face::28 as IP addresses for the website.

To add the IPv4 address:

$ sudo ip addr add 192.0.2.28/24 dev eth0

To add the IPv6 address:

$ sudo ip addr add 2001:db8:26:845::28/64 dev eth0

Edit /etc/network/interfaces:

...

# ca.example.net
iface eth0 inet static
    address 192.0.2.28/24
iface eth0 inet6 static
    address 2001:db8::28/64

Nginx Configuration

For now a simple static website with some information and relevant files to download will do.

The complete file is available for download.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#
# Certificate Authority Website
# ca.example.net

# Unsecured HTTP Site
server {

    # IPv4 private address (Port-forwarded from NAT firewall/router)
    listen                  192.0.2.10:80;

    # IPv6 global address
    listen                  [2001:db8::28]:80;

    server_name             ca.example.net;

    # Server Default Settings
    include                 /etc/nginx/server-defaults/*.conf;

    # Public Documents Root
    root                    /var/www/ca.example.net/public_html;
}

# Secured HTTPS Site
server {

    # IPv4 private address (Port-forwarded from NAT firewall/router)
    listen                  192.0.2.10:443 ssl spdy;

    # IPv6 global address
    listen                  [2001:db8::28]:443 ssl spdy;

    server_name             ca.example.net;

    # TLS settings
    include                 /etc/nginx/tls.conf;
    include                 /etc/nginx/ocsp-stapling.conf;
    ssl_certificate         /etc/ssl/certs/example.net.chained.cert.pem;
    ssl_certificate_key     /etc/ssl/private/example.net.key.pem;
    ssl_trusted_certificate /etc/ssl/certs/CAcert_Class_3_Root.OCSP-chain.pem;
    add_header              'Public-Key-Pins' 
        'pin-sha256="SXdoaC3aoo/NgckESACRQgOkv4At2gXRyVM7puNt28w=";
         pin-sha256="YAPsGXfNvFh435aZmtCIBSC7kVdE7p7pjt2k1llJ78Y="; 
         max-age=15768000';

    # Server Default Settings
    include                 /etc/nginx/server-defaults/*.conf;

    # Public Documents Root
    root                    /var/www/ca.example.net/public_html;
}

Information Page

The CA’s website should contain the following information in human readable form:

  • General information about the CA.
  • Contact information.
  • Certification policies.
  • How to verify the root certificate of this CA.
  • How to set this CA’s root certificate as trusted in various clients.
  • How to request a signed certificates from by this CA.
  • How to install signed certificates in various clients and servers.
  • How to request revocation in case of loss or compromise of private keys.

CA Files

Install the CA certificates and CRLs on the server for users and clients to download, so that clients can download them while verifying certificates:

  • Root CA Certificate /certs/root-ca.crt
  • Root CA Revocation List /crl/root-ca.crl
  • Intermediate CA Certificate /certs/intermed-ca.crt
  • Intermediate CA Revocation List /crl/intermed-ca.crl