creating client certificates
I've got an SSL certificate from the 3rd party certificate authority. It's a .cer file. The certificate is installed and working properly in IIS7.
The certificate displays its Intended Purposes as Server Authentication, Client Authentication.
The site requires authentication via client certificates. We're not using client certificate mapping, but simply using client certificates as a measure of authentication -- if you have one, you're authenticated.
- How can I create a client certificate?
- Does the CA have to do this, involving another CSR?
- Is this something I can do myself with another tool? (OpenSSL or other)
- What format is required for client certificates?
Solution 1:
Client certificate authentication in IIS (or most HTTPDs) is somewhat complicated. You have to map the users to the certificate. The certificates themselves can be issued by any CA that the server trusts; you can setup an AD CS instance to issue the certs, or even use a local copy of OpenSSL to create the certs if you wanted.
There's an article on IIS.net describing Client Certificate Mapping; with information about enabling it and programmatically associating certificates with users.
Edit:
The ultra-short version of issuing client certs with OpenSSL.
openssl genrsa -des3 -out my_ca.key 4096openssl req -new -key my_ca.key -out my_ca.csr-
openssl x509 -req -days 365 -in my_ca.csr -signkey my_ca.key -out my_ca.crt
You now have a CA certificate and key. - For each of the client certificates you'll generate you need a Cert Signing Request. You can use the same cert for every user if you want, it's not a particularly good idea though and you should definitely require some other form of authentication as well (like a password). Either the clients can generate the CSRs themselves, or you can with openssl again (note that each CSR needs a private key first):
openssl genrsa -des3 -out client1.key 1024openssl req -new -key client1.key -out client1.csr
-
Edit your openssl.cnf file and fill in the relevant CA parts. They are:
[ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = ./ # top dir database = $dir/my_ca.index # index file. new_certs_dir = $dir/newcerts # new certs dir certificate = $dir/my_ca.crt # The CA cert serial = $dir/my_ca.srl # serial no file private_key = $dir/my_ca.key # CA private key RANDFILE = $dir/rand # random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use policy = policy_any # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option cert_opt = ca_default # Certificate display option copy_extensions = none # Don't copy extensions from request [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional Sign the key using the CA cert
openssl ca -in client1.csr -out client1.crt- If you created the key and CSR for the client you'll need to export them. Export the certificate pair to a PKCS12 file so the client can import it.
openssl pkcs12 -export -in client1.crt -inkey client1.key -out client1.p12 - If you completed #7, send the client the PKCS12 file you created; otherwise send them the Certificate from #6.
Note that this is a poor way to issue signed certificates because it simply grants whatever type of certificate the CSR specified. Be sure to pay attention to what you're doing. If you're going to issue a lot of certificates you'll need to invest some time in a more secure setup.