Configure for the client certificate

You generate a client certificate and configure your application to use the client certificate generated. For production systems, you add the configuration details to fglprofile.

During development, if you do not have the certificate information in your fglprofile, Genero creates a certificate for you. When you move into production, however, the server provides a certificate for you, and you need to add the certificate information to the fglprofile.
  1. Create the root certificate authority.
    1. Create the root certificate authority serial file. $ echo 01 > MyCompanyCA.srl
    2. Create the Root Authority's Certificate Signing Request and private key. $ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
    3. Create the Root Certificate Authority for a period of validity of 2 years.

      (line breaks added for document readability)

      $ openssl x509 -trustout -in MyCompanyCA.csr
      -out MyCompanyCA.crt -req -signkey MyCompanyCA.pem
      -days 730

      (line breaks added for document readability)
      Note: The private key file (MyCompanyCA.pem) of a Root Certificate Authority must be handled with care. This file is responsible for the validity of all other certificates it has signed. As a result, it must not be accessible by other users.
  2. Create the client's X.509 certificate and private key.
    1. Create the client serial file. $ echo 01 > MyClient.srl
    2. Create the client's Certificate Signing Request and private key.

      $ openssl req -new -out MyClient.csr

      Note: By default, openssl outputs the private key in the privkey.pem file.
    3. Remove the password from the RSA private key.

      $ openssl rsa -in privkey.pem -out MyClient.pem

      Note: The key is also renamed in MyClient.pem.
    4. Create the client's Certificate trusted by the Root Certificate Authority (self-signed X.509 certificate valid for a period of 1 year).

      (line breaks added for document readability)

      $ openssl x509 -in MyClient.csr -out MyClient.crt -req
      -signkey MyClient.pem  -CA MyCompanyCA.crt
      -CAkey MyCompanyCA.pem -days 365

      Note: Most servers do not check the identity of the clients. For these servers, the client's certificate does not necessary need to be trusted; it is only used for data encryption purpose. If, however, the server performs client identification, you must trust a Certificate Authority in which it has total confidence concerning the validity of the client's certificates.
      Note: The purpose of the client's Certificate is to identify the client to any server; therefore the subject of the certificate must correspond to the client's identity as it is known by the servers.
      Note: To import the certificate in a keystore you can create a pkcs12 certificate.
  3. Add the client's security configuration to fglprofile.
    The client security entry defines the certificate and the associated private key used by the Genero Web Services client during communication with an HTTPS communication. The security entry must be defined with an unique identifier (id1in this example).

    security.id1.certificate = "MyClient.crt"
    security.id1.privatekey  = "MyClient.pem"

    Note: If the private key is protected with a password, you must remove it or create a script that returns the password on demand.
A client certificate is created and your application is configured to use it. The client certificate is not self-signed but issued by a company, created with a root certificate.