Create the client certificate

Create a certificate whose identity can be validated by clients.

In this task you create your own root certificate authority and certificate using the OpenSSL command line tool.

  1. Create the root certificate authority that signs other certificates.
    1. Create the root certificate authority serial file. 
      $ echo 01 > MyCompanyCA.srl

      This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.

    2. Create the Certificate Signing Request (CSR) and private key (pem). 
      $ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
      Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:
      Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:.

      The most important field in the DN is the Common Name (CN), which should have the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with. For instance, if the URL of the server is https://www.MyServer.com/fastcgi/ws/r/MyWebService, the CN must be www.MyServer.com. In the other fields, you provide additional details about your organization, which may be needed if you are purchasing an SSL certificate from a certificate authority.

      Two files are created, the MyCompanyCA.csr and a private key file called MyCompanyCA.pem. The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.

    3. Create a root certificate authority certificate from the CSR that is valid for 2 years, and that is signed by the private key created in step 1b.
      (line breaks added for document readability)
      $ openssl x509 -trustout -in MyCompanyCA.csr
 -out MyCompanyCA.crt -req -signkey MyCompanyCA.pem
 -days 730
      You are prompted for the passphrase for MyCompanyCA.pem.
      The root certificate authority certificate is output in MyCompanyCA.crt.
  2. Create a client certificate signed by the new root certificate authority.
    1. Create the CSR and private key. 
      $ openssl req -new -out MyServer.csr -keyout privkey.pem

      Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts.

      The most important field is the Common Name. This should not be the same as the common name used for the CA certificate created in Step 1b. Typically, it should contain the hostname of the machine where the certificate is installed.

      The purpose of the client's certificate is to identify the client to any server; therefore, the subject of the certificate must correspond to the client's identity as it is known by the servers.

      Two files are created, MyServer.csr and a private key file called privkey.pem.

    2. Remove the password from the RSA private key. 
      $ openssl rsa -in privkey.pem -out MyServer.pem
      You are prompted for the passphrase for privkey.pem.
      The unprotected private key is output in MyServer.pem.
    3. Create a certificate from the CSR that is valid for 365 days, and that is signed by the root certificate authority created in step 1.

      (line breaks added for document readability)

      $ openssl x509 -in MyServer.csr -out MyServer.crt -req
   -CA MyCompanyCA.crt
   -CAkey MyCompanyCA.pem -days 365
      You are prompted for the passphrase for MyCompanyCA.pem.
    The certificate is output in MyServer.crt.

    Most servers do not check the identity of the clients. For these servers, the client's certificate does not necessarily need to be trusted; it is only used for data encryption purpose. If, however, the server performs client identification, you must trust a Certificate Authority in which it has total confidence concerning the validity of the client's certificates.

    To import the certificate in a keystore you can create a pkcs12 certificate. See Import a certificate and its private key into the Windows key store.

What to do next

Configure your FGLPROFILE file for the client certificate. See Configure for the client certificate.