Create the client certificate

Generate a root certificate authority that signs a client certificate.

In this task you create your own root certificate authority and client certificate using the OpenSSL command line tool.

  1. Create the root certificate authority.
    1. Create the root certificate authority serial file.
      $ echo 01 >

      This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.

    2. Create the Certificate Signing Request (CSR) and private key.
      $ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem

      Follow the instructions to create the CSR.

    3. Create the Root Certificate Authority for a period of validity of 2 years.

      (line breaks added for document readability)

      $ openssl x509 -trustout -in MyCompanyCA.csr
      -out MyCompanyCA.crt -req -signkey MyCompanyCA.pem
      -days 730

      Note: The private key file (MyCompanyCA.pem) of a Root Certificate Authority must be handled with care. This file is responsible for the validity of all other certificates it has signed. As a result, it must not be accessible by other users.
  2. Create the client's X.509 certificate and private key.
    1. Create the client's Certificate Signing Request and private key.

      $ openssl req -new -out MyClient.csr

      Note: By default, openssl outputs the private key in the privkey.pem file. If you want to specify a different file name, or if your openssl version does not output the private key by default, add the -keyout <myprivkey>.pem to the command.
    2. Remove the password from the RSA private key.

      $ openssl rsa -in privkey.pem -out MyClient.pem

      Note: The unprotected private key is output in MyClient.pem.
    3. Create the client's certificate (self-signed X.509 certificate valid for a period of 1 year) trusted by the Root Certificate Authority created in step 1 .

      (line breaks added for document readability)

      $ openssl x509 -in MyClient.csr -out MyClient.crt -req
      -signkey MyClient.pem  -CA MyCompanyCA.crt
      -CAkey MyCompanyCA.pem -days 365

      Note: Most servers do not check the identity of the clients. For these servers, the client's certificate does not necessarily need to be trusted; it is only used for data encryption purpose. If, however, the server performs client identification, you must trust a Certificate Authority in which it has total confidence concerning the validity of the client's certificates.
      Note: The purpose of the client's certificate is to identify the client to any server; therefore the subject of the certificate must correspond to the client's identity as it is known by the servers.
      Note: To import the certificate in a keystore you can create a pkcs12 certificate. See Import a certificate and its private key into the Windows key store.
What to do next

Configure your FGLPROFILE file for the client certificate. See Configure for the client certificate.