3.2. Issue Client-side Certificates

calendar Sep 22, 2024 · 4 min read · pki tls ssl openssl ca client certificates x509  ·
Share on: linkedin copy

该文章根据 CC-BY-4.0 协议发表,转载请遵循该协议。
本文地址:https://fenying.net/en/book/pki-tutorials/3.2.request-client-certificate/

This chapter describes how to issue client-side certificates using OpenSSL command-line tools.

Generate a new private key for the client

You can choose either RSA or EC keys, but you need to pay attention to the key length:

  • RSA 2048
  • EC 256

Here is an example using RSA:

 1MY_CA_L2_DIR=$RSA_CA_R1_DIR          # The directory of the intermediate CA.
 2
 3NEW_CERT_NAME=[email protected]
 4NEW_CLIENT_KEY_PATH=$MY_CA_L2_DIR/private/client-$NEW_CERT_NAME.key.pem
 5
 6openssl genrsa -rand $MY_CA_L2_DIR/.rand -aes-256-cfb -out $NEW_CLIENT_KEY_PATH 2048
 7
 8# [Optional] Protect the private key with a password.
 9# openssl genrsa -rand $MY_CA_L2_DIR/.rand -aes-256-cfb -out $NEW_CLIENT_KEY_PATH 2048
10
11# Or you can use EC keys
12# openssl ecparam -rand $MY_CA_L2_DIR/.rand -genkey -name prime256v1 -noout -out $NEW_CLIENT_KEY_PATH
13
14# [Optional] If you want to protect the private EC key with a password, you can use the following command.
15# openssl ec -aes-256-cfb -in $NEW_CLIENT_KEY_PATH -out $NEW_CLIENT_KEY_PATH

Generate a certificate signing request file (xxx.csr.pem)

Just like the process of issuing an intermediate CA certificate, the process of issuing a client certificate is also divided into two steps.

Firstly, create a draft of the application form (xxx.csr.cnf), which is a text file describing the detailed information of the certificate to be applied for.

 1NEW_CLIENT_CERT_REQ_PATH=$MY_CA_L2_DIR/csr/client-$NEW_CERT_NAME.csr.cnf
 2
 3cat > $NEW_CLIENT_CERT_REQ_PATH << EOL
 4[ req ]
 5distinguished_name  = req_distinguished_name
 6string_mask         = utf8only
 7
 8# SHA-1 is deprecated, so use SHA-2 instead.
 9default_md          = sha256
10prompt              = no
11
12[ req_distinguished_name ]
13# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
14commonName                      = $NEW_CERT_NAME
15EOL

Then use the openssl req command to add your certificate public key (note that this is the key of the new certificate, not the key of the CA) to the application form, and sign the application form with your certificate private key to get a new file xxx.csr.pem, which is a BASE64-encoded DER file.

1NEW_CLIENT_CERT_CSR_PATH=$MY_CA_L2_DIR/csr/client-$NEW_CERT_NAME.csr.pem
2
3openssl req \
4    -config $NEW_CLIENT_CERT_REQ_PATH \
5    -new -sha256 \
6    -key $NEW_CLIENT_KEY_PATH \
7    -out $NEW_CLIENT_CERT_CSR_PATH

You can view the detailed information of the file with the following command.

1openssl req \
2    -in $NEW_CLIENT_CERT_CSR_PATH \
3    -noout \
4    -text

Sign the certificate

Now, everything is ready, let’s sign the certificate, with an intermediate CA:

 1NEW_CLIENT_CERT_PATH=$MY_CA_L2_DIR/issued_certs/client-$NEW_CERT_NAME.cert.pem
 2
 3openssl ca \
 4    -config $MY_CA_L2_DIR/ca.cnf \
 5    -extensions client_cert \
 6    -days 180 \
 7    -notext \
 8    -md sha256 \
 9    -batch \
10    -in $NEW_CLIENT_CERT_CSR_PATH \
11    -out $NEW_CLIENT_CERT_PATH

Here is the explanation of the command:

  • Option -config $MY_CA_L2_DIR/ca.cnf

    This option specifies the configuration file of the CA, which is described in the previous chapter.

  • Option -batch

    This option indicates that the batch automation mode is used, and the information is read directly from the CA configuration and command-line parameters. So no interactive input is required.

  • Option -md sha256

    Specifies the hash algorithm to use when signing the certificate. If omitted, the algorithm specified by default_md in the CA configuration file is used.

  • Option -days

    Specifies the validity period of the certificate (from the system time when it is signed), in days. If omitted, the duration specified by default_days in the CA configuration file is used.

    If you need to generate a certificate for a specific time (such as an expired certificate for some test scenarios), you can replace the parameter -days 180 with -startdate 220101000000Z -enddate 220301000000Z. Where,

    • -startdate indicates the start time of the certificate validity period, in the format YYMMDDhhmmssZ, where the year, month, day, hour, minute, and second are represented by 2 digits each, and the Z at the end indicates the use of the UTC time zone.
    • -enddate indicates the end time of the certificate validity period, in the same format as above.

And then, check the detailed information of the generated certificate with this command.

1openssl x509 -noout -text -in $NEW_CLIENT_CERT_PATH

You can check whether the intermediate CA certificate can be used to verify the client certificate with the following command.

1openssl verify -CAfile $MY_CA_L2_DIR/ca.fullchain.pem $NEW_CLIENT_CERT_PATH

Generate the full chain of the client certificate

In the previous command, a chain of certificates is used, because a full chain is required to verify the client certificate.

So, you need to generate a full chain of the client certificate.

1NEW_CLIENT_FULLCHAIN_PATH=$MY_CA_L2_DIR/issued_certs/client-$NEW_CERT_NAME.fullchain.pem
2
3cat > $NEW_CLIENT_FULLCHAIN_PATH << EOL
4$(cat $NEW_CLIENT_CERT_PATH)
5
6$(cat $MY_CA_L2_DIR/ca.fullchain.pem)
7EOL

Then, verify the certificate chain with the following command.

1openssl verify -CAfile $MY_CA_L2_DIR/ca.fullchain.pem $NEW_CLIENT_FULLCHAIN_PATH

Now, a client certificate has been successfully issued, and you can use it to configure your client.

comments powered by Disqus

Translations: