Monday 31 January 2011

Creating server and user certificates

I went through Hell to find out how to create server and especially proper client certificates that would work correctly with all browsers, svn and https on Apache2. I went through the Apache site, OpenSSL documentation, Google, no where did I found exactly what I was looking for, even the man pages had errors. I hope there's a better way to do that but if not, here you are for all those who are looking to do the same thing:

Create a server certificate
(for use with your HTTPS server, for example):
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

Just make sure to use a password everywhere it asks for one. This seems to be necessary at least for the client certificate we'll create below if you use it in OS X.

Create the server key:
sudo openssl genrsa -out server.key 2048

Create the server's certificate request. You would send this to an official Certificate Authority (CA) if you wanted to have an official certificate instead of the self-signed certificate that we will generate here.
sudo openssl req -new -key server.key -out server.csr

Create the server certificate itself. You can use this one for your HTTPS site.
sudo openssl x509 -req -days 3652 -in server.csr -signkey server.key -out server.crt

Create a 'CA' certificate. We'll need this one to create a properly signed client certificate.
sudo openssl x509 -req -in server.csr -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey server.key -out CAserver.crt

Create a client certificate
Create the client key:
sudo openssl genrsa -out user.key 2048

Create the server's certificate request.
sudo openssl req -new -key user.key -out user.csr

Create the client certificate signed with the 'CA' certificate we created above.
sudo openssl x509 -req -days 3652 -in user.csr -extfile /etc/ssl/openssl.cnf -extensions usr_cert -CA CAserver.crt -CAkey server.key -CAcreateserial -out user.crt

Create a PKCS#12 version of the certificate for use on the user system.
sudo openssl pkcs12 -export -in user.crt -inkey user.key -out user.p12

Just import this p12 file in your certificate manager (Key Chain in OS X).

No comments:

Post a Comment