The command below generates a 2048-bit RSA private key and a corresponding CA certificate:
openssl req -new -x509 -nodes -days 365 -subj '/O=MyCorp/CN=MyCorp Internal CA' -keyout clientca.key -out clientca.crtThe command below creates a 2048-bit RSA private key, which will be used to sign the CSRs:
openssl genrsa -out client.keyTo create a CSR for your first client certificate, use the following command:
openssl req -new -key client.key -subj '/CN=MyCorp Client 1' -out client1.csr
Issue the client certificate using the CSR, the CA certificate, and the CA's private key.
openssl x509 -req -in client1.csr -CA clientca.crt -CAkey clientca.key -CAcreateserial -days 365 -out client1.crt
If you need additional client certificates, simply repeat steps 1-3 and 1-4. For instance, to issue a certificate for "MyCorp Client 2", execute the following commands:
openssl req -new -key client.key -subj '/CN=MyCorp Client 2' -out client2.csr
openssl x509 -req -in client2.csr -CA clientca.crt -CAkey clientca.key -CAcreateserial -days 365 -out client2.crt
Uploading the clientca.crt created in Step 1-1 and choose the domains where you want to enforce mTLS following the document.
You can test the configuration using the command below:
curl -svo /dev/null --key ./client.key --cert ./client1.crt https://example.com/
openssl pkcs12 -export -in client1.crt -inkey client.key -out client1.p12
Double click the PKCS12 certificate file. This will add the client certificate file to Keychain.
In the Keychain Access app, locate the certificate in the System keychain. Double click it to open the certificate settings, then expand the Trust settings.
In the When using this certificate dropdown, select Always Trust. Then close the certificate settings window.
You will be prompted to select the client certificate when you access the domain where mTLS is enabled.
