Here's how to create a self-signed SSL client certificate with openssl on the command line.
First we have to create the private key:
openssl genrsa -out client.key 2048
Now we can create certificate request. Enter all the distinguished name information required to create a certificate request using the following command:
openssl req -key client.key -new -out client.req
OpenSSL commands expect to receive a file named: client.cnf. This file stores information that help generate extension fields to the certificate. You must create the client.cnf file with the following information:
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
Create a certificate request into a self signed certificate using extensions for the client certifiacte:
openssl x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client
Verify the certificate:
openssl x509 -text -noout -in client.crt
As you can see the SSL extensions are now part of the certificate:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Now you can test your SSL connection with the following command:
openssl s_client -connect localhost:443 -key client.key -cert client.crt
Thanks for sharing information.I was searching for this. Its really useful and helped me a lot.Its easy to follow First we have to create the private key:openssl genrsa -out client.key 2048 Now we can create certificate request. Enter all the distinguished name information required to create a certificate request using the following command: openssl req -key client.key -new -out client.req
ReplyDeletedigital signature
Thank you.
ReplyDelete