This section describes how to create a client certificate.
NOTE: Some of the command line examples in this section are quite long. You might need to scroll the example to read the whole example.
To create a client certificate
-
The steps for the client(s) are very similar, only the file names and the embedded common name (host identifier: FQDN or IP address) are different. If you have multiple clients, make sure that each has the right host identifier.
openssl req -nodes -new -x509 -keyout clientkey.pem -newkey rsa:4096 -out clientreq.pem -days 365 -config openssl.cnf
NOTE: By including and customizing the -newkey rsa:<key size> element in your command line, you can set the key size that is compliant with your organization policy.
-
The following will be displayed. Answer the questions as in the example:
Generating a 1024 bit RSA private key .................................................................................++++++ ...............................++++++ writing new private key to 'clientkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) [Some-State]:Budapest Locality Name (eg, city) []:Budapest Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:172.16.177.129 Email Address []: example@linux-modi:~/CA> openssl x509 -x509toreq -in clientreq.pem -signkey clientkey.pem -out tmp.pem Getting request Private Key Generating certificate request example@linux-modi:~/CA> openssl ca -config openssl.cnf -policy policy_anything -out clientcert.pem -infiles tmp.pem Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 25 10:28:49 2014 GMT Not After : Jun 25 10:28:49 2015 GMT Subject: countryName = HU stateOrProvinceName = Budapest localityName = Budapest organizationName = Mycompany commonName = 172.16.177.129 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 91:D9:99:95:F2:0D:22:BF:72:95:56:9A:C0:DF:A3:07:5C:E2:3F:63 X509v3 Authority Key Identifier: keyid:D1:FF:ED:B4:0B:66:E6:45:EE:70:4F:DC:6C:C5:34:48:42:38:E9:38 Certificate is to be certified until Jun 25 10:28:49 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
-
Enter the following:
rm tmp.pem