SSL Client Certificate Creation

From Antiflux Wiki

Revision as of 21:11, 15 May 2006 by Evan (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

To generate a client certificate for "user" signed with our CA key:

  1. Generate a key:

    openssl genrsa -out /etc/ssl/client/user.key 1024

  2. Generate a certificate signing request (CSR):

    openssl req -new -key /etc/ssl/client/user.key -out /etc/ssl/antiflux/user.csr

  3. Sign the CSR:

    cd /etc/ssl/antiflux ; make sign

  4. Move the certificate to the client certificates directory:

    mv /etc/ssl/antiflux/user.cert /etc/ssl/private/user.crt

  5. Create a PKCS#12 file:

    cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12

The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) can be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.

Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.

Retrieved from "http://okcomputer.antiflux.org/wiki/SSL_Client_Certificate_Creation"
Personal tools