Setting up Windows Root CA on CentOS 6.9 Linux server

Hello and welcome.
It is that time for me to add a new article to the blog. I know, I KNOW.. Its been a long time.. I’m sorry…

In today’s blog post, I will be covering the process to setup a root certificate on a Linux host, and the process of generating a CSR and adding it to Apache.
There are many, many, many articles walking through the creation of a self-signed certificate on Linux. If there is any question to that, take a look here, here, here, or here; Just to name a few..
With that being said, there are very few articles that walk through the entire process of pulling a root certificate from a Windows Active Directory or Stand Alone CA, importing it into a linux host, and then creating a certificate for use on that linux host for Apache.

That is exactly what I’m going to cover today.

NOTE – This article is the culmination of piecing together several different articles from multiple website sources. My intent was to pull all of these different materials into one location for ease of reference. I will be incorporating several pictures and steps directly from those websites, and I have a reference link to that content in the source links below.

Assumptions:

1. You have already built your physical/virtual machine
2. You have setup apache and the service is running without issue
3. You have iptables entries created to allow traffic for both http and https

   # iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
   # iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

4. You have installed mod_ssl and openssl by running :

   yum install mod_ssl openssl

Acquire the root certificate from ADCS

The first step and most important step for all of this magic to work, is we need to have the Root certificate loaded into the certificate store on our Linux host. Unfortunately, the formats of these certificates are not always compatible, so we need to make sure that the Microsoft PKCS #7 format is converted into the PEM format commonly used on linux hosts. After you have acquired your root certs from the CA, we need to convert them.

1. After you receive the certificate from the CA, double-click on the certificate to open it.
   When you open the certificate, it appears as shown in the following screen shot:
   
2. Locate the path of the certificate on your computer and double-click on the certificate again to open it.
   

   

3. Select the Details tab.
4. Click Copy to File.
5. Click Next in the Certificate Export Wizard window.
   
6. Select the Base-64 encoded x.509 (.CER) option. This converts the certificate to PEM format.
7. Click Next.
   
8. Click Browse and select a location to store the converted PEM
9. Click Next.
10. Click Finish.
    
    After converting the certificate to PEM format, the certificate has an extension .cer.
11. To verify if the certificate is in PEM format, change the extension to .txt or .doc. The file must start with the line “ BEGIN CERTIFICATE”, as shown in the following screen shot:
    
12. Using WinSCP, copy the converted .pem certs to:

    /etc/pki/ca-trust/source/anchors

13. Run the following commands to import the root certs into the certificate store.

    # update-ca-trust enable

    followed by:

    # update-ca-trust extract

14. Verify the root CAs are OK

    # openssl verify LegacyIssuing.cer
    LegacyIssuing.cer: OK
    

Create a CSR for the Linux Server
Next we have to generate a Certificate Signing Request to be submitted to the Microsoft CA, which will in turn generate a certificate for our website, which is then signed by the root CA, and trusted by the Linux host.

1. # cd /tmp
   # openssl req -nodes -newkey rsa:2048 -keyout service.something.key -out service.something.csr

2. Copy the csr and key out to your windows machine via winscp.
3. Open the CA website, and request a certificate
4. Based on your specific implementation, you may need to submit an “advanced certificate request”
5. Paste the contents from the CSR file into the box
   
6. Retrieve the certificates from the site.

Import generated cert into linux certificate store

Now that we have our cert generated, we simply need to copy it back into our certificate store. For this, we will need the key, the cert and the csr files.

1. Copy to the following paths:

   cp service.something.cer /etc/pki/tls/certs
   cp ca.key /etc/pki/tls/private/service.something.key
   cp ca.csr /etc/pki/tls/private/service.something.csr
   

2. Update the Apache SSL configuration file :

   vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
   

   • Change the paths to match where the Key file is stored. If you’ve used the method above it will be

     SSLCertificateFile /etc/pki/tls/certs/service.something.cer

   • Then set the correct path for the Certificate Key File a few lines below. If you’ve followed the instructions above it is:

     SSLCertificateKeyFile /etc/pki/tls/private/service.something.key
     

3. Finally, Quit and save the file and then restart apache

   service httpd restart

That’s it folks! You should now be able to connect to your ssl host, and not get prompted to accept that ugly self signed certificate. The only thing left to do, and setup a redirect to send all those ugly insecure connections to your new awesome https connection.. We’ll save that for another blog post!