How to Create Self-Signed Client and Web Server Certificates using openssl
Use CSRs and Keys you got developers for each client, if there are more than one. Get it from them if you don’t have them or create the client key(s).
They should do something like this and send you the csr and key:
openssl genrsa -out client1.key 1024
# /C=US/ST=California/L=San Francisco/O=Your_Company_Name/OU=IT/CN=client1
Create the Certificate Signing Request from the Client Key.(You will use the CSR to create the Signed Certificate (crt).
openssl req -new -key client1.key -out client1.csr
Generate the root CA and the root private key. Keep it in a safe place. Check its expiration date.
do something similar to the following in order to generate the your_company_root_ca.crt or pem file.
First generate a password protected rya key (.key):
openssl genrsa -des3 -out your_company_root_ca.key 1024
If you want to verify the password of the key:
openssl rsa -in your_company_root_ca.key
Use this key to create a self signed X.509 certificate valid to 10 years (.crt):
openssl req -new -x509 -days 3650 -key your_company_root_ca.key -out your_company_root_ca.crt
Create the signed certificates from the csr and keys, using the root CA, for each client. Here you will be generating the .crt file(s). Send the crt files back to the developers to add to their client code.
openssl x509 -req -in client1.csr -CA your_company_root_ca.crt -CAkey your_company_root_ca.key -CAcreateserial -out client1.crt -days 365
Do this for each client. Keep in mind the client signed certs expire in 365 days. Of course, you can have it extend the expiration date. Mark it on the calendar!
Verify that the cert has the right attributes in it
openssl x509 -in client1.crt -subject -noout
Verify Certificate against CA bundle to make sure the client certs are good and then send them to the developers. You should see ‘OK’
openssl verify -CAfile your_company_root_ca.crt client1.crt
client1.crt: OK
Generate the Web Server key and signed cert (signed by the root CA)
# Web server key
openssl genrsa -out your_hostname.com.key 1024
# /C=US/ST=California/L=San Francisco/O=Your_Company_Name/OU=IT/CN=your_hostname.com
openssl req -new -key your_hostname.com.key -out your_hostname.com.csr
openssl x509 -req -in your_hostname.com.csr -CA your_company_root_ca.crt -CAkey your_company_root_ca.key -CAcreateserial -out your_hostname.com.crt -days 1024
Keep in mind the web server signed certs expire in 1024 days. Mark it on the calendar!
Verify Webserver Certificate against CA bundle to make sure the server cert is good. You should see ‘OK’
openssl verify -CAfile your_company_root_ca.crt your_hostname.com.crt
your_hostname.com.crt: OK
# Browser (firefox) test
generates a p12 file you can import into Firefox.
openssl pkcs12 -export -in client1.crt -inkey client1.key -name “Your Company Client 1” -out client1.p12
================================
You can use the CN attribute for attribute based authentication. From the CN attribute you can allow certain clients different access to different parts of your web services.
How to Create Self-Signed Client and Web Server Certificates using openssl,
