Implementing A Linux Root CA In A Windows Domain

There are many steps and procedures to follow when implementing a public key infrastructure that are imperative to its success that fall outside the scope of this write up. Specifics on topics such as adding A records to a DNS server for domain name resolution will not be covered.

Before Starting: The planning and designing phase of this process is the most important to ensuring the success of your efforts. A good resource to help with understanding the design and planning of a PKI can be found here here. Although Microsoft focused, this was a valuable resource in my PKI implementation.

Overview

Steps

  1. Configure a Linux server as a root CA
  2. Add the IIS role to a Windows server and set up a virtual directory as the CDP
  3. Add the Active Directory Certificate Services role to the Windows server that will act as the subordinate CA
  4. Sign the subordinate CA’s CSR on the Linux root CA
  5. Issue a CRL from the Linux root CA
  6. Import and install certificates on subordinate CA and IIS CDP
    1. Components

      • Windows Domain Controller
      • Linux offline root CA
      • Windows intermediate CA (Server 2012 R2 or later)
      • Windows IIS server

      Configure the Linux Offline Root CA

      First install the openssl package if it is not already installed.

      create the following directories and files

      mkdir -p ca/{certs,csr,private}
      touch ca/index.txt
      echo 0001 > ca/serial
      echo 0001 > ca/crlnumber
      chmod 700 ca/private
      

      Create and modify an openssl config file

      Copy the following configuration file to the ca directory. And modify the ROOT_CA_FILENAME, HTTP_HOST, and HTTP_HOST_DIR variables to suit your environment

      
      # OpenSSL Configuration File
      
      ROOT_CA_FILENAME=rootca
      HTTP_HOST=pki.example.com
      HTTP_HOST_DIR=crld
      
      [ ca ]
      # `man ca`
      default_ca = CA_default
      
      [ CA_default ]
      # Directory and file locations.
      dir               = /root/ca
      certs             = $dir/certs
      new_certs_dir     = $dir/newcerts
      database          = $dir/index.txt
      serial            = $dir/serial
      RANDFILE          = $dir/private/.rand
      
      # The root key and root certificate.
      private_key       = $dir/private/$ROOT_CA_FILENAME.key.pem
      certificate       = $dir/certs/$ROOT_CA_FILENAME.cert.pem
      
      # For certificate revocation lists.
      crlnumber         = $dir/crlnumber
      crl               = $dir/$ROOT_CA_FILENAME.crl.pem
      crl_extensions    = crl_ext
      default_crl_days  = 30
      
      # SHA-1 is deprecated, so use SHA-2 instead.
      default_md        = sha256
      
      name_opt          = ca_default
      cert_opt          = ca_default
      default_days      = 375
      preserve          = no
      policy            = policy_any
      
      
      [ policy_any ]
      # Allow the intermediate CA to sign a more diverse range of certificates.
      # See the POLICY FORMAT section of the `ca` man page.
      countryName             = optional
      stateOrProvinceName     = optional
      localityName            = optional
      organizationName        = optional
      organizationalUnitName  = optional
      commonName              = supplied
      emailAddress            = optional
      
      [ req ]
      # Options for the `req` tool (`man req`).
      default_bits        = 4096
      distinguished_name  = req_distinguished_name
      string_mask         = utf8only
      
      # SHA-1 is deprecated, so use SHA-2 instead.
      default_md          = sha256
      
      # Extension to add when the -x509 option is used.
      x509_extensions     = v3_ca
      
      [ req_distinguished_name ]
      # See .
      countryName                     = Country Name (2 letter code)
      stateOrProvinceName             = State or Province Name
      localityName                    = Locality Name
      0.organizationName              = Organization Name
      organizationalUnitName          = Organizational Unit Name
      commonName                      = Common Name
      emailAddress                    = Email Address
      
      # Optionally, specify some defaults.
      countryName_default             = 
      stateOrProvinceName_default     = 
      localityName_default            =
      0.organizationName_default      = 
      organizationalUnitName_default  =
      emailAddress_default            =
      
      [ v3_ca ]
      # Extensions for a typical CA (`man x509v3_config`).
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer
      basicConstraints = critical, CA:true
      keyUsage = critical, digitalSignature, cRLSign, keyCertSign
      
      [ v3_intermediate_ca ]
      # Extensions for a typical intermediate CA (`man x509v3_config`).
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer
      basicConstraints = critical, CA:true, pathlen:0
      keyUsage = critical, digitalSignature, cRLSign, keyCertSign
      authorityInfoAccess = caIssuers;URI:http://$HTTP_HOST/$HTTP_HOST_DIR/$ROOT_CA_FILENAME.crt
      crlDistributionPoint = URI:http://$HTTP_HOST/$HTTP_HOST_DIR/$ROOT_CA_FILENAME.crl
      
      [ usr_cert ]
      # Extensions for client certificates (`man x509v3_config`).
      basicConstraints = CA:FALSE
      nsCertType = client, email
      nsComment = "OpenSSL Generated Client Certificate"
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid,issuer
      keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
      extendedKeyUsage = clientAuth, emailProtection
      
      [ server_cert ]
      # Extensions for server certificates (`man x509v3_config`).
      basicConstraints = CA:FALSE
      nsCertType = server
      nsComment = "OpenSSL Generated Server Certificate"
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid,issuer:always
      keyUsage = critical, digitalSignature, keyEncipherment
      extendedKeyUsage = serverAuth
      
      [ crl_ext ]
      # Extension for CRLs (`man x509v3_config`).
      authorityKeyIdentifier=keyid:always
      
      [ ocsp ]
      # Extension for OCSP signing certificates (`man ocsp`).
      basicConstraints = CA:FALSE
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid,issuer
      keyUsage = critical, digitalSignature
      extendedKeyUsage = critical, OCSPSigning
      

      Generate the key pair

      openssl genrsa -aes256 -out ca/private/rootca.key.pem 4096
      chmod 400 ca/private/rootca.key.pem 
      

      Create the root certificate

      openssl req -config ca.cnf \
            -key private/rootca.key.pem \
            -new -x509 -days 3600 -sha256 -extensions v3_ca \
            -out certs/rootca.cert.pem
      
      chmod 444 ca/certs/rootca.cert.pem
      
      

      You will be prompted for some information following the above command. You can pass a period (.) to answer with a blank line. Be sure to use a descriptive name for the CN prompt such as “Company INC Root Certificate Authority”

      Setup virtual directory in IIS

      On the Windows server that will act as the CDP install the IIS role if it is not already. The FQDN of the IIS server must resolve to what ever you used for the HTTP_HOST variable in the openssl config file.

      To set up the virtual directory

      1. Open IIS Manger
      2. Enpand the containers in the left hand pane to “Default Site”, right click “Default Site” and select “add virtual directory”
      3. For the alias enter what you used for the HTTP_HOST_DIR variable in the openssl config file (crld in the example config).
      4. For the physical path either select or make a new directory you’d like to use as the CDP
      5. click ok
      6. Back in IIS manager with the new virtual directory selected in the left pane, select directory browsing from the middle pane
      7. click enable in the right pane
      8. With the virtual directory still selected in the middle pane select configuration editor
      9. In the drop down menu select system.WebServer>>Security>>requestFiltering
      10. Set allow double escape to True

      You may be required to modify the permissions on the new virtual directory if revocation checking fails when you start the intermediate Windows CA

      Set up the Windows intermediate CA

      Before continuing if you have not already set up DNS records for the IIS server and Windows intermediate CA do so now.

      This is a good time to import the root CA certificate we created to the intermediate CA

      To import the root ca certifcate:

      1. after copying over the root certificate rename it with the .crt extension. Be sure to use the extension that was used in the openssl config file for the authorityInfoAccess.
      2. open a new mmc
      3. add the certificates snap-in for the computer account
      4. right click the trusted root certificate authority container and select import
      5. browse to where you copied over the root ca certificate.
      6. click ok

      Install and configure AD CS

      1. Install the “Active Directory Certifiacate Services” role on the Windows server that will act as the intermediate CA
      2. Install the management features as well
      3. When configuring the CA select Enterprise CA, then select subordinate CA
      4. When prompted select generate a new key pair and generate a Microsoft RSA key using SHA256 and set the key length to 4096. This will generate a CSR file (*.req) on the C: drive.
      5. copy the CSR over to the root CA

      On the root CA run the following to sign the CSR

      openssl ca -out subca.crt -notext -days 1825  -extensions v3_issuing_ca -config ./ca.cnf -infiles your-sub-ca-csr.req
      

      Now generate a CRL

      openssl ca -gencrl -out rootca.crl -config ca.cnf
      

      Now copy the CRL over to the IIS server saving it to the virtual directory created earlier. Also copy the signed sub CA certificate to the Windows certificate authority. Be sure to change the extension of the CRL file after copying it over to the IIS server to match what you used for the crlDistribuionPoint varibale in the openssl config fle.

      Back on the Windows intermediate CA

      1. Open the certificate authority tool
      2. Right click the CA in the left hand pane and select install CA certificate
      3. Navigate to sub CA certificate and click ok.

      The AD CS role should now be active on the Windows intermediate CA.

Arch Linux and Ubuntu Security Advisories, WordPress version 4.7.4 released, and Pegasus spyware found on Android Devices

Arch Linux ASA-201704-6

Date: 2017-04-21

CVE ID:

CVE-2017-5429 CVE-2017-5430 CVE-2017-5432 CVE-2017-5433
CVE-2017-5434 CVE-2017-5435 CVE-2017-5436 CVE-2017-5437
CVE-2017-5438 CVE-2017-5439 CVE-2017-5440 CVE-2017-5441
CVE-2017-5442 CVE-2017-5443 CVE-2017-5444 CVE-2017-5445
CVE-2017-5446 CVE-2017-5447 CVE-2017-5448 CVE-2017-5449
CVE-2017-5451 CVE-2017-5453 CVE-2017-5454 CVE-2017-5455
CVE-2017-5456 CVE-2017-5458 CVE-2017-5459 CVE-2017-5460
CVE-2017-5461 CVE-2017-5464 CVE-2017-5465 CVE-2017-5466
CVE-2017-5467 CVE-2017-5468 CVE-2017-5469


Firefox versions before 53.0-1 vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, file system access, denial service, information disclosure, and content spoofing.

Resolution

pacman -Syu firefox>=53.0-1

Link:AVG-249

Ubuntu has released a similar advisory.

Arch Linux Security Advisory ASA-201704-4

Date: 2017-04-20

CVE ID: CVE-2017-5461

The package nss (Network Security Services) before version 3.30.1-1 is vulnerable to arbitrary code
execution.

Link: AVG-247

Ubuntu Bind

Date: April 17, 2017

CVE ID: CVE-2017-3136, CVE-2017-3137, CVE-2017-3138

Several security issues have been fixed on the bind9 Internet Domain Name Server package on affected Ubuntu versions.

Link:Ubuntu Bind Security Notice

Pegasus Spyware Found on Android Devices

A variant of the pegasus spyware is being found on some Android devices.

Link:Pegasus Spyware on Android

WordPress 4.7.4 Update

Released April 20th 2017

Link:WordPress Change Log

Ubuntu 18.04 switching back to GNOME, Broadcom WiFi chip vulnerabilities, and Brickerbot malware

Ubuntu 18.04 Default Desktop

In a post on the 5th of April, Canonical and Ubuntu founder Mark Shuttleworth announced the end of investments in Unity8, the phone and convergence shell, as well as Ubuntu 18.04 to ship out with GNOME desktop by default.

Further in the post, it states, Canonical’s focus will be IoT and the cloud.

For more;

Mark Shuttleworth:Growing Ubuntu for cloud and IoT, rather than phone and convergence

Broadcom Vulnerabilities

Millions of Apple and Android devices, which carry the Broadcom wifi chip, are vulnerable to over the air hacking.

Described as a stack buffer overflow, the vulnerability was discovered by Google’s project zero and is said to allow the execution of remote code on the affected devices.

For more;

TheHackerNews:Smart Phones Broadcom Wifi Chip Vulnerabilities

Brickerbot Malware Kills IoT Devices

Similar to Miria, the botnet malware that targets vulnerable IoT devices, Brickerbot uses the same TELNET bruteforce attack vector.

Brickerbot targets Linux based IoT devices running the BusyBox toolkit. Once inside the operating system, the code scrambles onboard memory, flushes IP and NAT tables, sets the outbound firewall rule to drop, and for the final nail in the coffin; tries to wipe all code on the affected devices.

For more;

TheRegister:Forget Miria, Here’s Brickerbot

Arch Linux Security Advisory:jasper multiple vulnerabilities, Ubuntu 12.04 end of life

Arch Linux put a security advisory on March 14 for multiple vulnerabilities found in jasper. The vulnerabilities have been patched. You can update your Arch machine by running;

pacman -Syu “jasper>=2.0.12-1”

For more;
Arch Linux: ASA-201703-9

Ubuntu announces end of life for Precise Pangolin which will be on April 28, 2017. But if you wanted to keep getting security and essential package updates for your Pangolin machines that just can’t be upgraded you can join the Ubuntu Advantage program.
For more;
Ubuntu:12.04 End of Life and Ubuntu Advantage

Google: First SHA1 Collision, Cloudflare Memory Leak Incident Report

At security.googleblog.com they went over the sha-1 collision from last week;
“Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision.”
for more:
security.googleblog

Cloudflare released a report on the memory leak incident from late last week.
In some circumstances, their edge servers were running past the edge of a buffer and returning memory that contained private information such as, HTTP cookies, authentication tokens and more. Cloudflare went on in the report about the fix and details about the issue. For more:
Cloudflare:Incident Report on Memory Leak Caused by Cloudflare Parser Bug

Kernel Vulnerabilities Fixed In Ubuntu, Virgina Supreme Court:License Plate Surveillance, and Supertux Racer on Steam Greenlight

Multiple vulnerabilities have been found in the Ubuntu 16.04 LTS Linux 4.4 kernel. The recent update to 16.04.2 uses the 16.10 (Yakkety) Linux 4.8 kernel. So if you made the jump to 16.04.2 then check this out:
Ubuntu 16.10 Security issue
CVE-2016-9588 Discovered by Jim Mattson and Dmitry Vyukov, a flaw in the kernel’s implementation of KVM.
UbuntuFree:New Ubuntu Vulnerabilities

EFF Reports VA Supreme Court Should Protect Drivers from License Plate Surveillance

You can vote for Supertux Racer now at Steam Greenlight below.
Steam:Supertux Racer

Ubuntu 16.04.2 LTS released, Arch Linux ending i686 support, AnC side-channel attack, and OpenSSL update.

Arch Linux’s February ISO is to be the last release with i686 support, and will only receive updates for the next nine months. According to Archlinux.org it is due to a decreasing lack of popularity among devs and the community. The people at Arch are encouraging anyone still interested to “keep it alive” with some guidance from the Arch team.

Arch:Phasing out i686

Over at Vusec they document a side-channel attack, which can detect which locations in the page table are accessed by the memory management unit. The attack takes advantage of the cache hierarchy of modern processors being shared by untrusted applications. More details in the link below.

Vusec:AnC attack

OpenSSL 1.1.0 updates to 1.1.0e.

OpenSSL:1.1.0e update

Ubuntu releases 16.04.2 LTS.

Ubuntu:16.04.2 released