Creating Client Certificates

When using client certificate authorization, the server will verify during the handshake phase that the client presents a valid certificate and that it has been signed by a CA that the server trusts. Although cumbersome to manage and distribute, client certificates are useful for protecting access to company websites or web services. They tend to be more secure than user names and passwords, as they cannot be guessed or intercepted.

If you want to be your own CA, the first step is to create your root CA. You can do so directly using the ca argument to the command line tool, or using the convenient CA.pl wrapper script bundled with openssl. To create a new certificate authority, you can issue the following command:

CA.pl -newca

The script will now create a private key, server certificate, and so on, and create a directory structure (demoCA) that contains the generated files.

You can now create a CSR and sign your certificate with

CA.pl -newreq CA.pl -signreq

The generated CA file will be in PEM format. To convert it to another format that makes it more convenient to import in browsers, execute the following command:

CA.pl -pkcs12

The exact method to import the certificate in the end-user machine varies depending on the browser type. Internet Explorer users can simply click on the certificate file and follow the instructions.