Solved

How to generate certificates for SSL client authentication

Posted on 2009-07-01
8
1,716 Views
Last Modified: 2012-05-07
Hello,

I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:

Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem

openssl rsa -in privkey.pem -out server.key

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"

C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"

C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************

Though it looks like client/client.key and client/client.crt do not match.

Am I doing smth wrong?

Thanks in advance!
0
Comment
Question by:U4enik
  • 6
  • 2
8 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
no, what you want is to create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

openssl is the classic way to do this, but tbh most people (me included) use xca (http://sourceforge.net/projects/xca ) to do it in a nice, easy gui :)
0
 

Author Comment

by:U4enik
Comment Utility
Sorry, but does your answer mean that all I wrote is correct?
0
 

Author Comment

by:U4enik
Comment Utility
>> create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
no. normally, client access certificates are signed by you, even if your SERVER certificate is signed by a CA.

in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:U4enik
Comment Utility
Thank you very much for recommendations. Could you please review the code and I will close the question.

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything  -infiles c
erts2/clientreq.pem

******************************************************

Thanks again!

0
 

Author Comment

by:U4enik
Comment Utility
Well, looks like like is something wrong anyway

I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"

What can be wrong now? I tried to follow your instructions.
0
 

Author Comment

by:U4enik
Comment Utility
This one should be correct?

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything  -infiles certs2/clientreq.pem
0
 

Author Closing Comment

by:U4enik
Comment Utility
Thank you very much!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now