Setup a CA compatible with eduroam requisites

Author

Sami Ait Ali Oulahcen

Published

June 13, 2024

The Objective here is to have a private CA for eduroam that has all the needed extensions to function for the different Operating Systems supported on the CAT tool.

1. Create Certification Authority

First we’ll need to create configuration file for the CA. Let’s create a working directory for the CA and place the file ca-param.cnf there.

CANAME=MARWAN-CA
mkdir $CANAME
cd $CANAME

/root/MARWAN-CA/ca-param.cnf

[ ca ]
default_ca          = MARWAN-CA

[ req ]
distinguished_name  = dn
default_bits            = 4096
default_md              = sha256
x509_extensions     = ext

[ dn ]
countryName                     = Country Name (2 letter code)
countryName_default             = MA
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Rabat-Sala-Kenitra
localityName                    = Locality Name (eg, city)
localityName_default            = Rabat
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = MARWAN
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  =
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_default              = ca.marwan.ma
emailAddress                    = Email Address
emailAddress_default            =

[ ext ]
basicConstraints=CA:TRUE,pathlen:0
crlDistributionPoints=URI:http://ca.marwan.ma/crl.der
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

[ MARWAN-CA ]
dir             = /root/MARWAN-CA
certs           = $dir
crl_dir         = $dir
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir
certificate     = $dir/MARWAN-CA.crt
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/MARWAN-CA.key
default_days    = 365
default_md      = sha256
crl_extensions  = crl_ext
default_crl_days= 30
policy          = policy_match

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ crl_ext ]
authorityKeyIdentifier  = keyid:always

1.2 Enabling CRL

To enable CRL for the certificate, we need to have a database index.txt.

touch index.txt serial touch crlnumber echo 01 > serial echo 1000 > crlnumber

CANAME=MARWAN-CA
DOMAIN=university.ac.ma
mkdir $CANAME
cd $CANAME
CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
"
openssl req -config <(echo "$CONFIG") -new -newkey rsa:4096 -nodes -subj "/CN=MARWAN-CA/C=MA/ST=Rabat/L=Rabat/O=MARWAN" -x509 -days 3000 -extensions ext -keyout MARWAN-CA.key -out MARWAN-CA.crt

Let’s install the CA locally:

cp $CANAME.crt /etc/pki/ca-trust/source/anchors/$CANAME.crt
update-ca-trust

2. Create the CSR and EXT files for our server certificate

Let’s create a server SSL certificate that we will sign with the root CA.

The EXT file will contain some certificate extension that are required by some applications. Modify according to your needs.

$DOMAIN.v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = eduroam.uni.ac.ma
DNS.2 = radius.uni.ac.ma

Now we genarate the server key and CSR, you can leave the email and challenge password emply.

openssl genrsa  -out $DOMAIN.key 4096
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

3. Sign the server certificate with our CA.

openssl x509 -req -days 390 -in $DOMAIN.csr -CA $CANAME.crt -CAkey $CANAME.key -out $DOMAIN.crt -CAcreateserial -sha256 -extfile $DOMAIN.v3.ext

To check that the server certificate is correct, let’s run the command:

openssl x509 -in $DOMAIN.crt -noout -text | head

If you need dh generate with the following command

openssl dhparam -check -text -5 -out /etc/raddb/certs/dh 1024

4. Configure auto-renewal for the certificate

To make out life easier, let’s configure a cron to auto-renew the certificate. First, let’s write a script for the auto-renew command, let’s name it renew-$DOMAIN-cert.sh

#!/bin/bash
CANAME=MARWAN-CA
DOMAIN=radius.marwan.ma
cd /root/$CANAME
openssl x509 -req -days 390 -in $DOMAIN.csr -CA $CANAME.crt -CAkey $CANAME.key -out $DOMAIN.crt -CAcreateserial -sha256 -extfile $DOMAIN.v3.ext

And now we make it executable

chmod +x renew-$DOMAIN-cert.sh

Then we configure a cron to execute the script, I’ve chosen to run it every 3 months, but you can tune to your liking. We run the command crontab -e, and paste the following content.

46 13 * */3 * /root/$CANAME/renew-radius-cert.sh