How to generate certificates for SSL client authentication

Hello,

I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:

Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem

openssl rsa -in privkey.pem -out server.key

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"

C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"

C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************

Though it looks like client/client.key and client/client.crt do not match.

Am I doing smth wrong?

Thanks in advance!
U4enikAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
no, what you want is to create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

openssl is the classic way to do this, but tbh most people (me included) use xca (http://sourceforge.net/projects/xca ) to do it in a nice, easy gui :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
U4enikAuthor Commented:
Sorry, but does your answer mean that all I wrote is correct?
0
U4enikAuthor Commented:
>> create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Dave HoweSoftware and Hardware EngineerCommented:
no. normally, client access certificates are signed by you, even if your SERVER certificate is signed by a CA.

in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.
0
U4enikAuthor Commented:
Thank you very much for recommendations. Could you please review the code and I will close the question.

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything  -infiles c
erts2/clientreq.pem

******************************************************

Thanks again!

0
U4enikAuthor Commented:
Well, looks like like is something wrong anyway

I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"

What can be wrong now? I tried to follow your instructions.
0
U4enikAuthor Commented:
This one should be correct?

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything  -infiles certs2/clientreq.pem
0
U4enikAuthor Commented:
Thank you very much!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.