SSL Client Certificate Creation
From Antiflux Wiki
Revision as of 21:11, 15 May 2006
To generate a client certificate for "user" signed with our CA key:
- Generate a key:
openssl genrsa -out /etc/ssl/client/user.key 1024
- Generate a certificate signing request (CSR):
openssl req -new -key /etc/ssl/client/user.key -out /etc/ssl/antiflux/user.csr
- Sign the CSR:
cd /etc/ssl/antiflux ; make sign
- Move the certificate to the client certificates directory:
mv /etc/ssl/antiflux/user.cert /etc/ssl/private/user.crt
- Create a PKCS#12 file:
cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12
The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) can be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.
Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.