In the last blog post we discussed how to add our Root CA to our VMs and we used copy and paste to distribute the certificate. Well this is prone to errors, and we can improve on this.

Today we will setup a web server that will not only publish our certificate but also our certificate revocation list.

As in my last post I will use PowerCLI to perform all vSphere tasks. So let’s create a new VM.

PS /home/bfrenzel> $ds = Get-Datastore -Name datastore2
PS /home/bfrenzel> $vmhost = Get-VMHost -Name '10.7.92.40'
PS /home/bfrenzel> $spec = Get-OSCustomizationSpec -Name 'CentOS 8'
PS /home/bfrenzel> $template = Get-Template -Name template-centos-8-with-root-ca
PS /home/bfrenzel> New-VM -Name ca-web -Template $template -VMHost $vmhost -Datastore $ds -OSCustomizationSpec $spec                                                     
Name                 PowerState Num CPUs MemoryGB                      
----                 ---------- -------- --------                       
ca-web               PoweredOff 1        2.000       

Now we need to Get the IP address of the VM and ssh into it.

PS /home/bfrenzel> (Get-VM 'ca-web').Guest.IPAddress
10.7.87.106
fe80::250:56ff:feba:be4a
PS /home/bfrenzel> ssh labuser@10.7.87.106


On the new VM we need to install a web server, my personal choice is nginx, so I will use it, but Apache httpd or anything else will work as well.

[root@ca-web ~]# dnf -y install nginx
[root@ca-web ~]# systemctl enable --now nginx
[root@ca-web ~]# firewall-cmd --permanent --zone=public --add-service http 
success
[root@ca-web ~]# firewall-cmd --permanent --zone=public --add-service https
success
[root@ca-web ~]# firewall-cmd --reload
success

The next steps will be performed on the Root CA VM

First we will generate a SSH key so the causer can login to the webserver remotely.

[causer@root-ca ~]$ ssh-keygen -b 8192 
[causer@root-ca ~]$ ssh-copy-id labuser@10.7.87.106

Now we will create a script that will copy the files to our new web server.

[causer@root-ca ~]$ vim .local/bin/ca-sync.sh
#!/usr/bin/env bash

webserver="10.7.87.106"
webserveruser="root"
webpath="/usr/share/nginx/html/"
pkipath="${HOME}/pki"

scp ${pkipath}/ca.crt ${webserveruser}@${webserver}:${webpath}
ssh ${webserveruser}@${webserver} chmod a+r ${webpath}/ca.crt

So after we created the script we can no do the initial sync.

[causer@root-ca ~]$ ca-sync.sh 
ca.crt                                                                                                100% 1923     1.0MB/s   00:00  

At last we can create a cronjob for our causer, so we update the CA related files regularly.

[causer@root-ca ~]$ crontab -l
*/5 * * * * $HOME/.local/bin/ca-sync.sh