Create the client certificate
You generate a client certificate.
In this task you create your own root certificate authority and client certificate using the OpenSSL command line tool.
-
Create the root certificate authority.
-
Create the root certificate authority serial file.
$ echo 01 > MyCompanyCA.srl
This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.
-
Create the Root Authority's Certificate Signing Request and private key.
$ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
-
Create the Root Certificate Authority for a period of validity of 2 years.
(line breaks added for document readability)
$ openssl x509 -trustout -in MyCompanyCA.csr
-out MyCompanyCA.crt -req -signkey MyCompanyCA.pem
-days 730Note: The private key file (MyCompanyCA.pem) of a Root Certificate Authority must be handled with care. This file is responsible for the validity of all other certificates it has signed. As a result, it must not be accessible by other users.
-
Create the root certificate authority serial file.
-
Create the client's X.509 certificate and private key.
-
Create the client serial file.
$ echo 01 > MyClient.srl
This command creates a serial file with the initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates.
-
Create the client's Certificate Signing Request and private key.
$ openssl req -new -out MyClient.csr
Note: By default, openssl outputs the private key in the privkey.pem file. If you want to specify a different file name, or if your openssl version does not output the private key by default, add the-keyout <myprivkey>.pem
to the command. -
Remove the password from the RSA private key.
$ openssl rsa -in privkey.pem -out MyClient.pem
Note: The key is also renamed in MyClient.pem. -
Create the client's certificate (self-signed X.509 certificate valid for a period of 1 year)
trusted by the Root Certificate Authority created in step 1 .
(line breaks added for document readability)
$ openssl x509 -in MyClient.csr -out MyClient.crt -req
-signkey MyClient.pem -CA MyCompanyCA.crt
-CAkey MyCompanyCA.pem -days 365Note: Most servers do not check the identity of the clients. For these servers, the client's certificate does not necessarily need to be trusted; it is only used for data encryption purpose. If, however, the server performs client identification, you must trust a Certificate Authority in which it has total confidence concerning the validity of the client's certificates.Note: The purpose of the client's Certificate is to identify the client to any server; therefore the subject of the certificate must correspond to the client's identity as it is known by the servers.Note: To import the certificate in a keystore you can create a pkcs12 certificate. See Import a certificate and its private key into the Windows key store.
-
Create the client serial file.
Configure your fglprofile file for the client certificate. See Configure for the client certificate.