wiki:creating_ca_and_signing_server_and_client_certs_with_openssl
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2022/10/25 13:51] – Add more info and openssl commands and configs antisa | wiki:creating_ca_and_signing_server_and_client_certs_with_openssl [2024/04/02 13:34] – [Create a SSL Client certificate] update nginx example conf antisa | ||
---|---|---|---|
Line 100: | Line 100: | ||
</ | </ | ||
===== Create a SSL Client certificate ===== | ===== Create a SSL Client certificate ===== | ||
+ | |||
+ | <WRAP center round tip 60%> | ||
+ | To use the client certificate in Firefox you need to export it to the correct format like so | ||
+ | |||
+ | openssl pkcs12 -export -in certs/ | ||
+ | |||
+ | Then you can import it via Settings > Security > View certificates > Import. | ||
+ | Also the server config needs to be added, e.g. for nginx | ||
+ | server { | ||
+ | ... | ||
+ | ssl_verify_client on; | ||
+ | ssl_client_certificate / | ||
+ | ... | ||
+ | </ | ||
==== Create private key for the client without passphrase ==== | ==== Create private key for the client without passphrase ==== | ||
Line 173: | Line 187: | ||
</ | </ | ||
+ | Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration: | ||
+ | |||
+ | < | ||
+ | [ req ] | ||
+ | default_bits | ||
+ | default_keyfile | ||
+ | distinguished_name | ||
+ | attributes | ||
+ | prompt | ||
+ | output_password | ||
+ | |||
+ | [ req_distinguished_name ] | ||
+ | C = GB | ||
+ | ST = Test State or Province | ||
+ | L = Test Locality | ||
+ | O = Organization Name | ||
+ | OU = Organizational Unit Name | ||
+ | CN = Common Name | ||
+ | emailAddress | ||
+ | |||
+ | [ req_attributes ] | ||
+ | |||
+ | </ | ||
+ | Note that the **prompt=no**, | ||
+ | <WRAP center round info 60%> | ||
+ | You cannot define *_min, *_max and *_default when prompt is set to no. | ||
+ | </ | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/ | ||
+ | </ | ||
+ | |||
Then after generating the key | Then after generating the key | ||
Line 186: | Line 232: | ||
====== References ====== | ====== References ====== | ||
* http:// | * http:// | ||
+ | * [[https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.txt · Last modified: 2024/04/09 14:08 by antisa