asked on

How to generate certificates for SSL client authentication

Hello,

I have my own test server. I generated a self signed certificate for it. Now I want to issue a client side sertificate for client authentication. Here is what I did:

Server:
*********************
openssl req -config openssl.cnf -new -out server.csr -keyout privkey.pem

openssl rsa -in privkey.pem -out server.key

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
*********************
Client:
*********************
C:\OpenSSL\bin>openssl req -config openssl.cnf -new -out "client/client.csr" -keyout "client/privkey.pem"

C:\OpenSSL\bin>openssl rsa -in "client/privkey.pem" -out "client/client.key"

C:\OpenSSL\bin>openssl x509 -in "client/client.csr" -out "client/client.crt" -req -signkey "server.key" -days 365
*********************

Though it looks like client/client.key and client/client.crt do not match.

Am I doing smth wrong?

Thanks in advance!

ASKER CERTIFIED SOLUTION

Dave Howe

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

U4enik

ASKER

Sorry, but does your answer mean that all I wrote is correct?

U4enik

ASKER

>> create a self-signed *CA* key/cert pair, then use it to sign both a server csr and a client csr.

Does this mean that if later I switch to real CA issued by some authority then I will have to send each client signing request to that CA? Will not be able grant access to the clients on my own?

Dave Howe

no. normally, client access certificates are signed by you, even if your SERVER certificate is signed by a CA.

in that case, you would still issue client certificates based on client CSR, but your server csr would be sent to a commercial ca.

U4enik

ASKER

Thank you very much for recommendations. Could you please review the code and I will close the question.

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client.crt -keyfi
le certs2/server.key -cert certs2/server.crt -policy policy_anything -infiles c
erts2/clientreq.pem

******************************************************

Thanks again!

U4enik

ASKER

Well, looks like like is something wrong anyway

I used ca - ca.cer (from script above) as a ca both for server and client. It says "alert unknown ca"

What can be wrong now? I tried to follow your instructions.

U4enik

ASKER

This one should be correct?

********************* server ****************************

openssl genrsa -des3 -out certs2/ca.key 1024

openssl req -config openssl.cnf -new -x509 -days 1001 -key certs2/ca.key -out certs2/ca.cer

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/server.key -out

certs2/serverreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/server.crt -keyfile certs2/ca.key -cert

certs2/ca.cer -policy policy_anything -infiles certs2/serverreq.pem

********************* client ****************************

C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout certs2/client.ke
y -out certs2/clientreq.pem

C:\OpenSSL\bin>openssl ca -config conf.txt -notext -out certs2/client2.crt -keyfile certs2/ca.key -cert certs2/ca.cer -policy policy_anything -infiles certs2/clientreq.pem

U4enik

ASKER

Thank you very much!