Use of SSL client certificates requires that individual users be issued certificates, typically one certificate per user. The process works like this:
The first two steps can be done in a variety of ways. This document discusses how to perform these operations with OpenSSL, a freeware command-line certificate manipulation program. You can obtain OpenSSL from the OpenSSL binaries page.
When using OpenSSL, there are two steps to creating a certificate signing request (CSR): creating the private RSA key, and creating the certificate request containing the user's name and other information.
First, create a key. User-entered input is shown in bold:
Example 1
C:\tmp>openssl genrsa -des3 -out clientcert.key 1024 Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..............++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for clientcert.key: (the password is not echoed)
Verifying - Enter pass phrase for clientcert.key:
C:\tmp>
This example creates a 1024-bit key and stores it in clientcert.key. 1024 bits is a good level of security, but for even better security (but slower performance) you may choose a 2048-bit key.
Next, create the CSR:
Example 2
C:\tmp>openssl req -config \moveitdmz\util\openssl.conf -new -key clientcert.key -out clientcert.csr
Enter pass phrase for clientcert.key: (enter the password given above)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Wisconsin
Locality Name (eg, city) []:Madison
Organization Name (eg, company) [ACME Inc.]:Universal Exporters
Organizational Unit Name (eg, section) []:Accounting
Common Name (eg, fully qualified host name) []:Fred
Email Address []:fred@univ-exporters.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
C:\tmp>
This example creates a certificate request for fred. The optional challenge password and company name are typically left blank. The file clientcert.csr is ready to be sent to the Certificating Authority who will sign the certificate.
Once a certificate request has been created, it should be sent to a Certificating Authority for signing. A Certificating Authority can be:
If you want to make yourself a Certificating Authority so you will be able to sign CSRs yourself, you need a separate certificate. This type of certificate is issued to an administrator and is NOT needed by individual users. You can obtain such a certificate from various sources, including all three types listed above. If you work for a small organization, or are just testing, you may wish to create your own self-signed certificate. Self-signed certificates provide the same level of encryption as commercially-purchased types, but require a bit more effort before the server will "trust" them. Self-signed certificates are free and can have as long a lifetime as you want.
To create a self-signed certificate so you can sign CSRs yourself:
Example 3
C:\tmp>openssl req -config \moveitdmz\util\openssl.conf -x509 -days 365 -newkey rsa:1024 -keyout MyCAcert.key -out MyCAcert.cer
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
....++++++
writing new private key to 'MyCAcert.key'
Enter PEM pass phrase: (enter a new password that will be known only to the administrator)
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Wisconsin
Locality Name (eg, city) []:Madison
Organization Name (eg, company) [ACME Inc.]:Universal Exporters
Organizational Unit Name (eg, section) []:IT Dept
Common Name (eg, fully qualified host name) []:UE IT Security
Email Address []:ueitsec@univ-exporters.com
C:\tmp>
This creates a 1024-bit certificate that expires in 365 days. In this example, the administrator creating the certificate is in the same organization as the client certificate applicant above, but in a different department. The key is written to MyCAcert.key and the public certificate to MyCAcert.cer. Be sure to keep the MyCAcert.key file and its password secure.
Once you have a signing key (either created yourself or obtained otherwise), you can sign CSRs:
Example 4
C:\tmp>openssl x509 -req -in clientcert.csr -days 1000 -CA MyCAcert.cer -CAkey MyCAcert.key -CAcreateserial -out clientcert.cer
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=Wisconsin/L=Madison/O=Universal Exporters/OU=Accounting/CN=Fred/emailAddress=fred@univ-exporters.com
Getting CA Private Key
Enter pass phrase for MyCAcert.key: (enter the password of the CA cert)
C:\tmp>
This reads the user's certificate signing request and signs it, creating a client certificate in the file clientcert.cer. In this example, the certificate will be valid for 1000 days.
At this point, clientcert.cer is the public component of the client certificate, and clientcert.key is the private component. Some client software, most notably Microsoft Windows, requires that these files be converted to a different format before they can be used by the client. If you have access to the user's clientcert.key file (for example, if you performed the equivalent of Example 1 yourself), you can convert these two files into the single-file .pfx format required by Windows by using a command like:
Example 5
C:\tmp>openssl pkcs12 -export -in clientcert.cer -inkey clientcert.key -out clientcert.pfx
Loading 'screen' into random state - done
Enter pass phrase for clientcert.key: (enter the password created via "openssl genrsa" at the top)
Enter Export Password: (enter a new password. It can be the same as the openssl genrsa password)
Verifying - Enter Export Password:
C:\tmp>
The file clientcert.pfx now contains both the private and public components of the key. If the user created his or her own CSR and did not give you the .key file, the user will have to perform this openssl pkcs12 command.
On the user's computer, the client certificate will have to be imported into the computer's certificate store. If the operating system is Microsoft Windows, the user should copy clientcert.pfx onto the computer and perform these steps:
The client certificate is now ready to be used. To double-check that the certificate has been installed, you may wish to examine the list of client certificates:
If you created a self-signed CA certificate, you will need to install it on the server. This will enable the server to trust client certificates signed with this CA certificate. (If your CA certificate was issued by a major certificate vendor, this step is not necessary because the vendor's certificate is built into Windows.)
To run the Windows Certificate Wizard to import the CA certificate: