How to Create a Client Certificate with Configuration using OpenSSL
In my previous post (https://mcilis.medium.com/how-to-create-a-server-certificate-with-configuration-using-openssl-ea3d2c4506ac) I’ve talked about creating a root CA certificate and a server certificate with extensions configuration. Now, I’ll continue with creating a client certificate that can be used for the mutual SSL connections.
In the following commands, I’ll be using the root certificate (root-ca) created in my previous post!
Generate the client key:
openssl genrsa -out "client.key" 4096
openssl req -new -key "client.key" -out "client.csr" -sha256 -subj '/CN=Local Test Client'
Configure the client certificate:
We need to create a file (client.cnf) and add the following content:
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
Sign the client certificate:
openssl x509 -req -days 750 -in "client.csr" -sha256 -CA "root-ca.crt" -CAkey "r
oot-ca.key" -CAcreateserial -out "client.crt" -extfile "client.cnf" -extensions client
Combine the root certificate, client key and client certificate:
cat client.key client.crt root-ca.crt > client.pem
Create a Pkcs12 file:
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile root-ca.crt
Import client.pfx to Windows Certificate Store:
If you are a Windows user, you should add the client certificate with its key to the personal certificates of the current windows user. Otherwise, during the…