SSL Client Certificate Creation

From Antiflux Wiki

(Difference between revisions)
Jump to: navigation, search
Current revision (21:38, 15 May 2006) (edit) (undo)
 
Line 1: Line 1:
-
To generate a client certificate for "user" signed with our CA key:
+
To obtain a client certificate signed by the Antiflux CA:
<ol>
<ol>
-
<li>Generate a key:
+
<li>Create a directory in which to store your key and certificate:
-
<p><code>openssl genrsa -out /etc/ssl/client/user.key 1024</code></p>
+
<p><code>mkdir $HOME/.ssl ; cd $HOME/.ssl</code></p>
</li>
</li>
 +
 +
<li>Generate a key (where user is your username):
 +
<p><code>openssl genrsa -out $HOME/.ssl/user.key 1024</code></p>
 +
</li>
 +
 +
<li>Ensure the key is not readable by other users:
 +
<p><code>chmod 0600 $HOME/.ssl/user.key</code></p>
 +
</li>
 +
<li>Generate a certificate signing request (CSR):
<li>Generate a certificate signing request (CSR):
-
<p><code>openssl req -new -key /etc/ssl/client/user.key -out /etc/ssl/antiflux/user.csr</code></p>
+
<p><code>openssl req -new -key $HOME/.ssl/user.key -out $HOME/.ssl/user.csr</code></p>
</li>
</li>
 +
 +
<li>E-mail the CSR ('''NOT''' the key) to root:
 +
<p><code>mail [email protected] < $HOME/.ssl/user.csr</code></p>
 +
</li>
 +
 +
</ol>
 +
 +
The following steps are for administrators only:
 +
 +
<ol>
 +
<li>Export the CSR to a file called user.csr in /etc/ssl/antiflux</li>
<li>Sign the CSR:
<li>Sign the CSR:
Line 20: Line 40:
<p><code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code></p>
<p><code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code></p>
</li>
</li>
 +
 +
<li>Send the certificate and PKCS#12 files to the user.</li>
</ol>
</ol>
-
The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) can be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.
+
The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) should be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.
Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.
Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.

Current revision

To obtain a client certificate signed by the Antiflux CA:

  1. Create a directory in which to store your key and certificate:

    mkdir $HOME/.ssl ; cd $HOME/.ssl

  2. Generate a key (where user is your username):

    openssl genrsa -out $HOME/.ssl/user.key 1024

  3. Ensure the key is not readable by other users:

    chmod 0600 $HOME/.ssl/user.key

  4. Generate a certificate signing request (CSR):

    openssl req -new -key $HOME/.ssl/user.key -out $HOME/.ssl/user.csr

  5. E-mail the CSR (NOT the key) to root:

    mail [email protected] < $HOME/.ssl/user.csr

The following steps are for administrators only:

  1. Export the CSR to a file called user.csr in /etc/ssl/antiflux
  2. Sign the CSR:

    cd /etc/ssl/antiflux ; make sign

  3. Move the certificate to the client certificates directory:

    mv /etc/ssl/antiflux/user.cert /etc/ssl/private/user.crt

  4. Create a PKCS#12 file:

    cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12

  5. Send the certificate and PKCS#12 files to the user.

The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) should be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.

Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.

Personal tools