Making the internal root ca offline



  • Doing some reading about managing certs, number of times it is mention that the root CA should be offline.  How can this be accomplished with pfsense?

    I'm thinking
    1- create root ca
    2- create intermediary ca
    3- download root ca cert & key; save to secure location
    3- delete the root ca from pfsense?


  • Rebel Alliance Global Moderator

    "3- download root ca cert & key; save to secure location"

    Last time I checked my firewall was a pretty secure location ;)

    What exactly are you issuing certs from this CA for?  If it was some public CA.. Ok might be prudent to take some extra steps.  But for example I use this ca to create certs for my own use.. My own internal devices that use https for their web gui, I issue certs off it for my devices that join my wifi via eap-tls, and vpn clients, etc.

    If someone compromised my firewall - the lack of integrity of my CA would be the least of the troubles to be honest.



  • @johnpoz:

    "3- download root ca cert & key; save to secure location"

    Last time I checked my firewall was a pretty secure location ;)

    What exactly are you issuing certs from this CA for?  If it was some public CA.. Ok might be prudent to take some extra steps.  But for example I use this ca to create certs for my own use.. My own internal devices that use https for their web gui, I issue certs off it for my devices that join my wifi via eap-tls, and vpn clients, etc.

    If someone compromised my firewall - the lack of integrity of my CA would be the least of the troubles to be honest.

    point taken, but still would like to know if this is possible.

    My setup is the same, it's all just internal certs.


  • Rebel Alliance Global Moderator

    sure its possible.. Create the CA, export it.. Then if you need it again reimport it.  But seems like a bunch of trouble for really no point.



  • @Journer:

    Doing some reading about managing certs, number of times it is mention that the root CA should be offline.  How can this be accomplished with pfsense?

    I'm thinking
    1- create root ca
    2- create intermediary ca
    3- download root ca cert & key; save to secure location
    3- delete the root ca from pfsense?

    The theory is that a CA is gold.  If it is compromised, it breaks all the trust out there.  The only secure CA is a CA in a locked room, powered down, and with no one having access to the keys.  It's never patched, or turned on.  It's job was to create the initial certificates- from that point on, it's never seen again.

    Simplistically that is… it's much more complicated than that.

    I think the easiest way to explain is to show you the opposite-

    https://arstechnica.com/information-technology/2015/06/stuxnet-spawn-infected-kaspersky-using-stolen-foxconn-digital-certificates/


  • Rebel Alliance Global Moderator

    Dude I understand what a CA is… But we are not talking a public freaking CA.. We are talking a CA that create a handful of local certs.. Which sits on his firewall - which is pretty freaking close to locked room!!



  • @johnpoz:

    Dude I understand what a CA is… But we are not talking a public freaking CA.. We are talking a CA that create a handful of local certs.. Which sits on his firewall - which is pretty freaking close to locked room!!

    Yeah, sorry about that.  I'd been explaining crypto all day to people at work that couldn't understand what was being done.  I got into a lecturer mode.

    Still, could make the root CA on a new or different HD or even a bootable USB stick, do the work, export the certs, then pull the stick.  That's pretty secure too.



  • @purduephotog:

    @johnpoz:

    Dude I understand what a CA is… But we are not talking a public freaking CA.. We are talking a CA that create a handful of local certs.. Which sits on his firewall - which is pretty freaking close to locked room!!

    Yeah, sorry about that.  I'd been explaining crypto all day to people at work that couldn't understand what was being done.  I got into a lecturer mode.

    Still, could make the root CA on a new or different HD or even a bootable USB stick, do the work, export the certs, then pull the stick.  That's pretty secure too.

    I know the feeling. Every so often we ask another company to send us their public key and they send us their private+public key pair where their private is a wild-card EV cert from Verisign.  It saddens me so many don't understand such basic concepts.



  • @Harvy66:

    @purduephotog:

    @johnpoz:

    Dude I understand what a CA is… But we are not talking a public freaking CA.. We are talking a CA that create a handful of local certs.. Which sits on his firewall - which is pretty freaking close to locked room!!

    Yeah, sorry about that.  I'd been explaining crypto all day to people at work that couldn't understand what was being done.  I got into a lecturer mode.

    Still, could make the root CA on a new or different HD or even a bootable USB stick, do the work, export the certs, then pull the stick.  That's pretty secure too.

    I know the feeling. Every so often we ask another company to send us their public key and they send us their private+public key pair where their private is a wild-card EV cert from Verisign.  It saddens me so many don't understand such basic concepts.

    I got another nice one. A large org (about 100B usd yearly turnaround) gave us the public key for their root and sub ca:s. The only problem? Their ca:s had 50 year lifespans and no CRL paths specified…....