## Full example with *lighttpd v1.4.45* and *Firefox v65.0*
### step 1
Create one private root and two leaf certificates with the following profiles:
| Property | CA cert | Server cert | Client cert |
|---|---|---|---|
| type | CA | Leaf | Leaf |
| CN (common name) | Root1 | Server1 | Client1 |
| subjectAltName | N/A | DNS:pihole.home.lan, DNS:pihole,IP:192.168.1.20 |
N/A |
| Key filename | Root1.key | Server1.key | Client1.key |
| Cert filname | Root1.crt | Server1.crt | Client1.crt |
| Key+Cert filename | N/A | Server1.key-crt.pem | Client1.p12 |
Note: The field DNS:pihole.home.lan,DNS:pihole,IP:192.168.1.20 is a single string with no spaces. It was broken into two lines only to fit in the table.
There are a number of programs capable for creating such files, but for convenience and brevity a humble minimalist batch file calling making openssl calls is provided with this document. It is described in the section privca Cert Creation Tool.
### Pause for Bird's Eye View
We pause for a birds eye view of what files go where, and what role they play in the web of Authentication.
The key+cert files are composed as follows:
| Key Part source file | Cert Part source file | Combined File | |
|---|---|---|---|
| Server | Server1.key | Server1.crt | Server1.key-crt.pem |
| Client | Client1.key | Client1.crt | Client1.p12 |
The next table shows to where the files will eventually be exported and the role they will play:
| Authenticator | Authenticatee | Server side file | Client side file |
|---|---|---|---|
| Client | Server | Server1.key-crt.pem | Root1.crt |
| Server | Client | Root1.crt | Client1.p12 |
### step 6
From Firefox -Click through
Preferences | Privacy & Security | View Certificates | Authorities | Import
to upload
./export/ca/public/HomeLan.crt
Then click through
Preferences | Privacy & Security | View Certificates | Your Certificates | Import
to upload
./export/private/Client1--HomeLan.p12
When uploading, Firefox will ask you for the password you set when creating it, if any.