Solved

How to generate certificates for SSL client authentication

Posted on 2009-07-01
8
1,727 Views
Last Modified: 2012-05-07
Hello,

I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:

Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem

openssl rsa -in privkey.pem -out server.key

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"

C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"

C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************

Though it looks like client/client.key and client/client.crt do not match.

Am I doing smth wrong?

Thanks in advance!
0
Comment
Question by:U4enik
  • 6
  • 2
8 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24761068
no, what you want is to create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

openssl is the classic way to do this, but tbh most people (me included) use xca (http://sourceforge.net/projects/xca ) to do it in a nice, easy gui :)
0
 

Author Comment

by:U4enik
ID: 24761322
Sorry, but does your answer mean that all I wrote is correct?
0
 

Author Comment

by:U4enik
ID: 24761406
>> create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 24762455
no. normally, client access certificates are signed by you, even if your SERVER certificate is signed by a CA.

in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.
0
 

Author Comment

by:U4enik
ID: 24766121
Thank you very much for recommendations. Could you please review the code and I will close the question.

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything  -infiles c
erts2/clientreq.pem

******************************************************

Thanks again!

0
 

Author Comment

by:U4enik
ID: 24766279
Well, looks like like is something wrong anyway

I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"

What can be wrong now? I tried to follow your instructions.
0
 

Author Comment

by:U4enik
ID: 24766596
This one should be correct?

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything  -infiles certs2/clientreq.pem
0
 

Author Closing Comment

by:U4enik
ID: 31599011
Thank you very much!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question