Skip to content

Instantly share code, notes, and snippets.

@addomafi

addomafi/howto_create_certificates_for_client_auth.md

Last active June 27, 2018 14:55
Show Gist options
  • Save addomafi/a2c4b6a3bf8fd8170eec7651bc4ea99c to your computer and use it in GitHub Desktop.
Save addomafi/a2c4b6a3bf8fd8170eec7651bc4ea99c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
howto_create_certificates_for_client_auth.md

How To: Two Way SSL

This guide explain how to create all the required certificates to enable SSL client authentication and revogation of certificates

Attention: I suppose that you already know how to generate a Self-Signed certificate for Root CA!

First of all you will need to generate a some config files to start, these files will be required:

ca.conf - config that enable a certificate revogation flow
[ ca ]
default_ca = root_ca

[ root_ca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootCA.pem
database = $dir/certindex
private_key = $dir/rootCA.key
serial = $dir/certserial
default_days = 730
default_md = sha1
policy = certificate_policy
x509_extensions = certificate_ext
crlnumber = $dir/crlnumber
default_crl_days = 730

[ certificate_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ certificate_ext ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://ca.example.com.br/revoked.crl
req-server.conf - config that enable SAN names, enables hostname validation
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=BR
ST=Sao Paulo
L=Sao Paulo
O=Example S.A.
OU=IT Department
emailAddress=admin@example.com.br
CN = www.example.com.br

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = www.example.com.br
req-client.conf - config that enable client authentication
[client_server_ssl]
extendedKeyUsage = clientAuth

Generate server certificate

First of all you need to generate the key and the csr files

openssl genrsa -out www.example.com.br.key 2048
openssl req -new -sha256 -nodes -out www.example.com.br.csr -newkey rsa:2048 -keyout www.example.com.br.key -reqexts req_ext -config req-server.conf

After that you should create some required files to the next step

touch certindex
echo 01 > certserial
echo 01 > crlnumber

Now you can generate the server certificate

openssl ca -batch -config ca.conf -notext -in www.example.com.br.csr -out www.example.com.br.pem -extensions req_ext -extfile req-server.conf

Generate client certificate

First of all you need to generate the key and the csr files

openssl genrsa -out app-ios.key 2048
openssl req -new -key app-ios.key -out app-ios.csr

Now you can generate the client certificate

openssl ca -batch -config ca.conf -notext -in app-ios.csr -out app-ios.pem -extensions client_server_ssl -extfile client.conf

To revoke certificates

Firstly you update the root certificate with the revoked certificate

openssl ca -config ca.conf -revoke app-ios/app-ios.pem -keyfile smilesRootCA.key -cert smilesRootCA.pem

Now you generate an updated CRL file with revoked certificates

openssl ca -config ca.conf -gencrl -keyfile smilesRootCA.key -cert smilesRootCA.pem -out revoked.crl

Attention: This file will be used by the server side to check if the certificate was revoked

If you need details on how to export these certificates to a Java Keystore, see my another gist Create self signed certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment