How to Create a Client Certificate with Configuration using OpenSSL

Mert Ilis
2 min readDec 3, 2020

In my previous post (https://mcilis.medium.com/how-to-create-a-server-certificate-with-configuration-using-openssl-ea3d2c4506ac) I’ve talked about creating a root CA certificate and a server certificate with extensions configuration. Now, I’ll continue with creating a client certificate that can be used for the mutual SSL connections.

In the following commands, I’ll be using the root certificate (root-ca) created in my previous post!

Generate the client key:

Execute:

openssl genrsa -out "client.key" 4096

Generate CSR:

Execute:

openssl req -new -key "client.key" -out "client.csr" -sha256 -subj '/CN=Local Test Client'

Configure the client certificate:

We need to create a file (client.cnf) and add the following content:

[client]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

Sign the client…

--

--

Mert Ilis

I’m a software development enthusiast who likes trying different web technologies and adding value to his team.