The command below generates a 2048-bit RSA private key and a corresponding CA certificate:
openssl req -new -x509 -nodes -days 365 -subj '/O=MyCorp/CN=MyCorp Internal CA' -keyout clientca.key -out clientca.crt
The command below creates a 2048-bit RSA private key, which will be used to sign the CSRs:
openssl genrsa -out client.key
To create a CSR for your first client certificate, use the following command:
openssl req -new -key client.key -subj '/CN=MyCorp Client 1' -out client1.csr
Issue the client certificate using the CSR, the CA certificate, and the CA's private key.
openssl x509 -req -in client1.csr -CA clientca.crt -CAkey clientca.key -CAcreateserial -days 365 -out client1.crt
If you need additional client certificates, simply repeat steps 1-3 and 1-4. For instance, to issue a certificate for "MyCorp Client 2", execute the following commands:
openssl req -new -key client.key -subj '/CN=MyCorp Client 2' -out client2.csr
openssl x509 -req -in client2.csr -CA clientca.crt -CAkey clientca.key -CAcreateserial -days 365 -out client2.crt
Uploading the clientca.crt
created in Step 1-1 and choose the domains where you want to enforce mTLS following the document.
You can test the configuration using the command below:
curl -svo /dev/null --key ./client.key --cert ./client1.crt https://example.com/
openssl pkcs12 -export -in client1.crt -inkey client.key -out client1.p12
Double click the PKCS12 certificate file. This will add the client certificate file to Keychain.
In the Keychain Access app, locate the certificate in the System
keychain. Double click it to open the certificate settings, then expand the Trust
settings.
In the When using this certificate
dropdown, select Always Trust
. Then close the certificate settings window.
You will be prompted to select the client certificate when you access the domain where mTLS is enabled.