Creating a Client Certificate in OpenSSL

The process to create a client certificate includes the following

  • Generating a certificate request
  • Signing the certificate request
  • Installing the signed certificate

Generating a certificate request

To create a certificate request, we execute the following command in a “root” shell.

/usr/lib/ssl/misc/CA.pl -newreq

During the creation of the certificate request, we are prompted for the following information

  • PEM pass phrase;
  • Country;
  • State;
  • City;
  • Organizational Name;
  • Organizational Unit Name;
  • Common Name; and
  • Email Address.

For the Common Name, we will supply the host name or the domain name that the certificate will certify. The above command will generate the following files

  • newkey.pem, which is the private key; and
  • newreq.pem, which is the request for signing.

Signing a certificate request

To sign a certificate request, we execute the following command in a “root” shell.

/usr/lib/ssl/misc/CA.pl -sign

During the signing of the certificate request, we are prompted for the following information

  • PEM pass phrase for the Certificate Authority key
  • Sign the certificate
  • Commit the certificate

The above command will generate a signed certificate in the newcert.pem file.

Removing the password on the private key

When using the client certificate, we will be prompted to supply the password on the private key. Inside an automated environment, this will cause applications to fail during start-up and be unavailable for use. We can however remove the password on the private key.

To remove the password on the private key, we execute the following command in a “root” shell.

openssl rsa -in newkey.pem -out newkey.pem.nopass

The above command will generate a separate private key file without the password associated on it.

Managing certificates

Once we’ve created the certificate, we perform the following operations on the files

  • Rename newreq.pem to hostname.req;
  • Move hostname.req to /etc/ssl/CA/requests;
  • Rename newkey.pem to hostname.key;
  • Move hostname.key to /etc/ssl/CA/private;
  • Rename newkey.pem.nopass to hostname.key.nopass;
  • Move hostname.key.nopass to /etc/ssl/CA/private;
  • Rename newcert.pem to hostname.cert; and
  • Move hostname.cert to /etc/ssl/CA/certs.
Advertisements

One thought on “Creating a Client Certificate in OpenSSL

Comments are closed.