You generate a client certificate and configure your application to use the client
certificate generated. For production systems, you add the configuration details to
fglprofile.
During development, if you do not have the certificate information in your
fglprofile, Genero creates a certificate for you. When you move into
production, however, the server provides a certificate for you, and you need to add the certificate
information to the fglprofile.
-
Create the root certificate authority.
-
Create the root certificate authority serial file.
$ echo 01 > MyCompanyCA.srl
-
Create the Root Authority's Certificate Signing Request and private key.
$ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
-
Create the Root Certificate Authority for a period of validity of 2 years.
(line breaks added for document
readability)
$ openssl x509 -trustout -in MyCompanyCA.csr
-out MyCompanyCA.crt -req -signkey MyCompanyCA.pem
-days 730
(line
breaks added for document readability)Note: The private key file
(MyCompanyCA.pem) of a Root Certificate Authority must be handled with care.
This file is responsible for the validity of all other certificates it has signed. As a result, it
must not be accessible by other users.
-
Create the client's X.509 certificate and private key.
-
Create the client serial file.
$ echo 01 > MyClient.srl
-
Create the client's Certificate Signing Request and private key.
$ openssl req -new -out MyClient.csr
Note: By default, openssl outputs the private key in the
privkey.pem file.
-
Remove the password from the RSA private key.
$ openssl rsa -in privkey.pem -out MyClient.pem
Note: The key is also renamed in MyClient.pem.
-
Create the client's Certificate trusted by the Root Certificate Authority (self-signed X.509
certificate valid for a period of 1 year).
(line breaks added for document readability)
$ openssl x509 -in MyClient.csr -out MyClient.crt -req
-signkey MyClient.pem -CA MyCompanyCA.crt
-CAkey MyCompanyCA.pem -days 365
Note: Most servers do not check the identity of the clients. For these servers, the
client's certificate does not necessary need to be trusted; it is only used for data encryption
purpose. If, however, the server performs client identification, you must trust a Certificate
Authority in which it has total confidence concerning the validity of the client's
certificates.
Note: The purpose of the client's Certificate is to identify the client to any server;
therefore the subject of the certificate must correspond to the client's identity as it is known by
the servers.
Note: To import the certificate in a keystore you can create a pkcs12
certificate.
-
Add the client's security configuration to fglprofile.
The client security entry defines the certificate and the associated private key used by the
Genero Web Services client during communication with an HTTPS communication. The security entry must
be defined with an unique identifier (
id1in this
example).
security.id1.certificate = "MyClient.crt"
security.id1.privatekey = "MyClient.pem"
Note: If
the private key is protected with a password, you must remove it or create a script that returns the
password on demand.
A client certificate is created and your application is configured to use it. The client
certificate is not self-signed but issued by a company, created with a root certificate.