Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to generate certificates for SSL client authentication

Posted on 2009-07-01
8
Medium Priority
?
1,747 Views
Last Modified: 2012-05-07
Hello,

I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:

Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem

openssl rsa -in privkey.pem -out server.key

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"

C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"

C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************

Though it looks like client/client.key and client/client.crt do not match.

Am I doing smth wrong?

Thanks in advance!
0
Comment
Question by:U4enik
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
8 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 24761068
no, what you want is to create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

openssl is the classic way to do this, but tbh most people (me included) use xca (http://sourceforge.net/projects/xca ) to do it in a nice, easy gui :)
0
 

Author Comment

by:U4enik
ID: 24761322
Sorry, but does your answer mean that all I wrote is correct?
0
 

Author Comment

by:U4enik
ID: 24761406
>> create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 24762455
no. normally, client access certificates are signed by you, even if your SERVER certificate is signed by a CA.

in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.
0
 

Author Comment

by:U4enik
ID: 24766121
Thank you very much for recommendations. Could you please review the code and I will close the question.

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything  -infiles c
erts2/clientreq.pem

******************************************************

Thanks again!

0
 

Author Comment

by:U4enik
ID: 24766279
Well, looks like like is something wrong anyway

I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"

What can be wrong now? I tried to follow your instructions.
0
 

Author Comment

by:U4enik
ID: 24766596
This one should be correct?

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything  -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem


C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything  -infiles certs2/clientreq.pem
0
 

Author Closing Comment

by:U4enik
ID: 31599011
Thank you very much!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question