Create the client certificate

Generate a root certificate authority that signs a client certificate.

In this task you create your own root certificate authority and client certificate using the OpenSSL command line tool.

  1. Create the root certificate authority.
    1. Create the root certificate authority serial file.
      $ echo 01 >

      This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.

    2. Create the Certificate Signing Request (CSR) and private key (pem).
      $ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem

      Follow the instructions to create the CSR.

    3. Create the Root Certificate Authority certificate and key for a period of validity of 2 years.
      (line breaks added for document readability)
      $ openssl x509 -trustout -in MyCompanyCA.csr
       -out MyCompanyCA.crt -req -signkey MyCompanyCA.pem
       -days 730

      The private key file (MyCompanyCA.pem) of a Root Certificate Authority must be handled with care. This file is responsible for the validity of all other certificates it has signed. As a result, it must not be accessible by other users.

  2. Create the client's X.509 certificate and private key.
    1. Create the client's Certificate Signing Request (CSR) and private key.
      $ openssl req -new -out MyClient.csr

      Follow the instructions to create the CSR. This command also creates a private-key file (pem) containing the RSA private key of the CSR certificate protected by a password. By default, openssl outputs the private key in the privkey.pem file. If you want to specify a different file name, or if your openssl version does not output the private key by default, add -keyout <myprivkey>.pem to the command.

    2. Remove the password from the RSA private key.
      $ openssl rsa -in privkey.pem -out MyClient.pem
      The unprotected private key is output in MyClient.pem.
    3. Create the client's certificate (self-signed X.509 certificate valid for a period of 1 year) trusted by the Root Certificate Authority created in step 1 .

      (line breaks added for document readability)

      $ openssl x509 -in MyClient.csr -out MyClient.crt -req
        -CA MyCompanyCA.crt
       -CAkey MyCompanyCA.pem -days 365

      Most servers do not check the identity of the clients. For these servers, the client's certificate does not necessarily need to be trusted; it is only used for data encryption purpose. If, however, the server performs client identification, you must trust a Certificate Authority in which it has total confidence concerning the validity of the client's certificates.

      The purpose of the client's certificate is to identify the client to any server; therefore the subject of the certificate must correspond to the client's identity as it is known by the servers.

      To import the certificate in a keystore you can create a pkcs12 certificate. See Import a certificate and its private key into the Windows key store.

What to do next

Configure your FGLPROFILE file for the client certificate. See Configure for the client certificate.