I am working on better securing my server from all these attacks.  So I decided I would recreate a root certificate authority and then an intermediate. My web sites use Godaddy certificates because they are accessed from the internet.  Those certificates are on SSL Deep Inspection.

I created two servers called rootca.scsiraidguru.local and interca.scsiraidguru.local.  

Building a Root CA and an Intermediate CA using OpenSSL and Debian Stretch

I followed the link above and build my two CAs and did the chains.  I migrated both to p7b files for Windows to use.  I added them into their respective certificate folders.  Both certificates are OK.  My next project is the certificate for MariaDB.

I created two servers rootca and interca.  I fully patched both servers.
Sudo apt-get update
Sudo apt-get dist-upgrade

Edit /etc/hosts and supply ip, FQDN, and name for both servers on each one. Check hostname and hostname -f to make sure they are configured correctly.  sudo reboot and autoclean/autoremove them.

Install ntp and configure it

sudo apt-get install ntp

interface listen IPv4
server ntp.ubuntu.com
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

Remove the IPv6 entries.

sudo /etc/init.d/ntp restart or sudo reboot

ntpq -p
remote refid st t when poll reach delay offset jitter
0.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000
1.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000
2.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000
3.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000
ntp.ubuntu.com .POOL. 16 p – 64 0 0.000 0.000 0.000
alphyn.canonica .INIT. 16 u – 1024 0 0.000 0.000 0.000
clock.trit.net .INIT. 16 u – 1024 0 0.000 0.000 0.000
eterna.binary.n .INIT. 16 u – 1024 0 0.000 0.000 0.000
tock.eoni.com .INIT. 16 u – 1024 0 0.000 0.000 0.000 ( .INIT. 16 u – 1024 0 0.000 0.000 0.000

ntpq -p refuses connection you have a conflict.

sudo systemctl show ntp.service | grep Conflicts
Conflicts=shutdown.target systemd-timesyncd.service


sudo systemctl status systemd-timesyncd.service
systemd-timesyncd.service – Network Time Synchronization
Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-07-12 05:17:21 UTC; 18min ago

dpkg -S /lib/systemd/system/systemd-timesyncd.service
systemd: /lib/systemd/system/systemd-timesyncd.service

sudo systemctl disable systemd-timesyncd.service
Removed /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service.

I usually sudo reboot

I started with the rootca server


# create root CA directory structure

mkdir /root/ca
cd /root/ca
mkdir newcerts certs crl private requests
touch index.txt
touch index.txt.attr
echo ‘1000’ > serial

# root ca key

openssl genrsa -aes256 -out private/ca.scsiraidguru.key.pem 4096

# root ca certificate

openssl req -config openssl_root.cnf -new -x509 -sha512 -extensions v3_ca -key /root/ca/private/ca.scsiraidguru.key.pem -out /root/ca/certs/ca.scsiraidguru.crt.pem -days 10950 -set_serial 0

Install Root CA cert on server

sudo mkdir /usr/share/ca-certificates/extra
sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt

convert to crt
openssl x509 -outform der -in foo.pem -out foo.crt

sudo dpkg-reconfigure ca-certificates 

Create the Intermediate CA 

Make sure you setup the FDQN, NTP first

# create the intermediate CA directory structure

mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs newcerts crl csr private
touch index.txt
touch index.txt.attr
echo 1000 > /root/ca/intermediate/crlnumber
echo ‘1234’ > serial

Edit vim /usr/lib/ssl/openssl.cnf

On both servers.  You will need to convert the pem files to crt files to import.  See bottom of page.

# create the intermediate CA key and csr for intermediate certificate

openssl req -config /root/ca/intermediate/openssl_intermediate.cnf -new -newkey rsa:4096 -keyout /root/ca/intermediate/private/int.scsiraidguru.key.pem -out /root/ca/intermediate/csr/int.scsiraidguru.csr

# intermediate ca certificate

openssl ca -config /root/ca/openssl_root.cnf -extensions v3_intermediate_ca -days 10950 -notext -md sha512 -in /root/ca/intermediate/csr/int.scsiraidguru.csr -out /root/ca/intermediate/certs/int.scsiraidguru.crt.pem

#Creating the certificate chain

cd /root/ca
cat intermediate/certs/int.scsiraidguru.crt.pem certs/ca.scsiraidguru.crt.pem > intermediate/certs/chain.scsiraidguru.crt.pem

When you are done you have:

root CA key:  /root/ca/private/ca.scsiraidguru.key.pem
root CA certificate:   /root/ca/certs/ca.scsiraidguru.crt.pem

intermediate CA key:  /root/ca/intermediate/private/int.scsiraidguru.key.pem
Intermediate CA certificate:  /root/ca/intermediate/certs/int.scsiraidguru.crt.pem

Chain of Root CA and Intermediate CA certificates:   /root/ca/intermediate/certs/chain.scsiraidguru.crt.pem

# Convert PEM to P7B : Windows don’t like PEM files.  You want to test it convert them to P7B files.

openssl crl2pkcs7 -nocrl -certfile chain.scsiraidguru.crt.pem -out chain.scsiraidguru.crt.p7b -certfile /root/ca/certs/ca.scsiraidguru.crt.pem

openssl crl2pkcs7 -nocrl -certfile ca.scsiraidguru.crt.pem -out ca.scsiraidguru.crt.p7b -certfile /root/ca/certs/ca.scsiraidguru.crt.pem

openssl crl2pkcs7 -nocrl -certfile mariadb.scsiraidguru.local.crt.pem -out mariadb.scsiraidguru.local.crt.p7b -certfile /root/ca/certs/ca.scsiraidguru.crt.pem

# Convert PEM to CRT files

openssl x509 -outform der -in chain.scsiraidguru.crt.pem -out chain.scsiraidguru.crt