All posts by admin

Being a CA

After heartbleed I had the opportunity to redo all of my certificates; while I was at it I decided to try to be a CA the right way (or at least righter).

A lot of information that I found was lacking, or incomplete, dated, or just wrong.  I am documenting this mostly for my benefit for when I need/want to do this again.

Step 1 is obviously creating the CA itself.  To do that you need to edit the openssl.cnf file to make some changes.

  1. Set your HOME  this is where the CA client stores a bunch of “stuff”
  2. in CA_default set the dir to an absolute path where your CA will store its files
  3. set copy_extensions to “copy”.  It says you need to be careful with this because this means that anyone (you?… its your CA isn’t it?) can add x509 extensions to the CSR and you’ll sign them (if you don’t check carefully, it still shows them to you before verifying the signing).  Normally a CSR is stripped down to just the subject before signing, and the CA adds any extensions that you specify, but its messy to always be specifying that on the CA (especially for things like SubjectAltNames), and it really does belong where the CSR originates.  Just be careful, and don’t be dumb.
  4. set default_days.. I like not having to deal with this for long periods of time.. so I have mine at 3650
  5. Update your policy_match as you like it.  levels are match, supplied, and optional; and probably something for ‘not supplied’.. but I am not going to look it up
  6. set default_bits.  Again, I like not needing to deal with this for long periods of time, so 4096!
  7. set the req_distinguished_name to provide convenient defaults for you
  8. big one, in usr_cert add the following, this is where you’re a real CA (well, kinda)
    authorityInfoAccess = @ocsp_info
    crlDistributionPoints = @crl_info
  9. Create the referenced sections above
    [ ocsp_info ]
    caIssuers;URI.0 =
    OCSP;URI.0 =
    [ crl_info ]
    URI.0 =
  10. in v3_req set (these should be set on the clients where you generate keys)
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
  11. in v3_ca
    basicConstraints = critical,CA:true
    keyUsage = critical,digitalSignature,cRLSign, keyCertSign

This is your basic CA conf.  Now before you make your CA cert you need to make a one-time edit (to be undone when your CA is setup

in [ req ] set x509_extensions = v3_ca, and comment out req_extensions

Now make your CA cert:

First you need to create the directories for the openssl CA program to work in, remember to set modes appropriately.

These directories are:

  1. $BASE
  2. $BASE/private
  3. $BASE/certs
  4. $BASE/crl
  5. $BASE/newcerts

Create db files for the CA to work with

  1. touch $BASE/index.txt
  2. echo 1000 > $BASE/serial

Make your CA private keyfile

openssl genrsa -aes256 -out $BASE/private/cakey.pem 4096

Make the CA!

openssl req -new -x509 -days 7305 -extensions v3_ca -key private/cakey.pem -out cacert.pem -config YOUR_OPENSSL_CA.cnf

edit your openssl.cnf file to put those extension lines back (remove the v3_ca and add the v3_req)

Sign Stuff!

openssl ca -config YOUR_OPENSSL_CA.cnf -in REQFILE -out CERTFILE






A Man a plan a wall a wan al-panama

It all started with a relatively simple goal… get networking to what would be my new office.  Additionally cable and phone would be required.

Progress was slow but eventually got to the last few feet of the project; The wall.. all of the cables were within ~8-10 feet (all vertical) of their destination.. all that was left was a quick drop down an interior wall; what could be easier?  To be even easier, I decided to just drop it down next to the power that was already there, a so no new holes in the headers.

Then the first trouble…. there’s apparently a fire break in the wall? (keep note of this.. its important, we’ll come back to it later.)  Evaluate the firebreak, punch yet another hole in the wall (at this point I am up to about a dozen total.. there are 4 in the ceiling (one 2 in the closet for getting cables from the front of the building, 2 in the main room: one for getting cables from the closet across the hall, one directly over where I intend to drop them down; one in the closet across the hall).  One as the bottom of the wall where I intend to put the wall jack, and now one at the location of the ‘fire break’).  As I went up from that fire-break I hit another fire break (?!?!) The hole count is quickly growing, and the old plaster wall integrity is rapidly degrading, as well as the effort required to effectively patch this growing swiss-cheesed wall.

So now I make the decision, just take it down, do it right.  Sadly I didn’t think to take a before picture, but here I am a couple of hours into it.



Now pay attention to that..see where those wires come down?  That and ~4 feet down are the only places in the wall that have the ‘firebreak’.  Going even one bay to the left (or 2 to the right) I would have been golden… but of course impossible to know that.

Too late to turn back now I continue with the demolition.


Now unfortunately you cannot really see it form that picture, but in both locations where there is a break in the studs there is another one ~3 feet up.


Completely demoed I now begin the reconstruction phase.  The studs are rough cut, and not entirely true (though much better than I expected); additionally I need to make up about 1″ of total width to line up with the existing door frame and molding (old lathe + scratch-coat+ browncoat + plaster = 1″ +/- )  solution to both of these issues is 1×3 furring strips and 1/2 drywall.


Here we have the furring strips going up, shimmed in a few locations to make up for different depths of the studs (but really, not too bad overall).



Furring strips completely up, I now need to start hanging the drywall.  The first piece is probably one of the most important and difficult in this case; you can see on the right there where there is a notch that needs to be taken out (that part of the wall was already drywall, and under the crown molding, so I decided to leave it in).  What you don’t see in this pic is that the left hand side also has a notch in it from the top of the door.




Here is a closeup of the notch on the right



And another for the notch on the left.  I left that relatively small area of plaster above the door, as it was going to be a pain to deal with all of the molding.  In the ceiling you can see one of the holes, and if you look carefully you can see the bundle of Cat5e.



Those cuts came out fantastically well; I had very little to work with as I couldn’t assume the wall was true, and those were cuts as is, first try, no touch-ups.

The overzealous grid was because the studs are not quite equal, and I wanted to make sure I didn’t screw onto a stud (because that’s where the furring strips were already screwed into).. and this made a very nice *fzzp* *fzzp* *fzzzp* for attaching the drywall

The second panel was the easiest.  It was the only one that didn’t require *any* cuttine at all.  Hang and go.



Next up was the bottom panel of the wall.  This was an 8 foot cut of varying height (about 1 foot) and a wall box cutout.


The next panel, the upper right, would require 2 cuts.. The top mated up against the existing drywall (mostly true), and on the right a very untrue wall.  This one was cut so closely that I had to go back over the product markeing tape and trip off any stragglers, since it was within the thickness of a piece of paper.  For the bottom two I gave myself a bit more room.


And finally the taping begins!



And where we are now… taped, mudded, to be sanded… and then primed!