U4enik
asked on
How to generate certificates for SSL client authentication
Hello,
I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:
Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"
C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"
C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************
Though it looks like client/client.key and client/client.crt do not match.
Am I doing smth wrong?
Thanks in advance!
I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:
Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"
C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"
C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************
Though it looks like client/client.key and client/client.crt do not match.
Am I doing smth wrong?
Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>> create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.
Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?
Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?
no. normally, client access certificates are signed by you, even if your SERVER certificate is signed by a CA.
in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.
in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.
ASKER
Thank you very much for recommendations. Could you please review the code and I will close the question.
********************* server ************************** **
openssl genrsa -des3 -out certs2/ca.key 1024
openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out
certs2/serverreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert
certs2/ca.cer -policy policy_anything -infiles certs2/serverreq.pem
********************* client ************************** **
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything -infiles c
erts2/clientreq.pem
************************** ********** ********** ********
Thanks again!
********************* server **************************
openssl genrsa -des3 -out certs2/ca.key 1024
openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out
certs2/serverreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert
certs2/ca.cer -policy policy_anything -infiles certs2/serverreq.pem
********************* client **************************
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything -infiles c
erts2/clientreq.pem
**************************
Thanks again!
ASKER
Well, looks like like is something wrong anyway
I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"
What can be wrong now? I tried to follow your instructions.
I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"
What can be wrong now? I tried to follow your instructions.
ASKER
This one should be correct?
********************* server ************************** **
openssl genrsa -des3 -out certs2/ca.key 1024
openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out
certs2/serverreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert
certs2/ca.cer -policy policy_anything -infiles certs2/serverreq.pem
********************* client ************************** **
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything -infiles certs2/clientreq.pem
********************* server **************************
openssl genrsa -des3 -out certs2/ca.key 1024
openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out
certs2/serverreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert
certs2/ca.cer -policy policy_anything -infiles certs2/serverreq.pem
********************* client **************************
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem
C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything -infiles certs2/clientreq.pem
ASKER
Thank you very much!
ASKER