How to create client certificates with CFSSL.
This article carries on from the CA setup article, so the setup from that is assumed to be in place.
We'll refer to the base directory as $BASE
everywhere, just to make it clear where each step is looking.
It is possible to just let the openssl req
prompt for these details, but I like to pre-configure them for easy re-use. It also allows you to define the Subject Alternative Names, which is now pretty much mandatory.
Create $BASE/certificate-configs/www.cylindric.net.cnf
:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Surrey
localityName = Camberley
organizationName = CylCorp
commonName = www.cylindric.net
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.cylindric.net
IP.1 = 104.28.15.24
cd $BASE
openssl genrsa \
-out certs/www.cylindric.net.key.pem 2048
chmod 400 certs/www.cylindric.net.key.pem
cd $BASE
openssl req \
-new \
-sha256 \
-config certificate-configs/www.cylindric.net.cnf \
-key certs/www.cylindric.net.key.pem \
-out intermediate-ca/csr/www.cylindric.net.csr.pem
cd $BASE/intermediate-ca
openssl ca \
-batch \
-config openssl.cnf \
-notext \
-in csr/www.cylindric.net.csr.pem \
-passin pass:intermediatepass \
-out ../certs/www.cylindric.net.crt.pem
rm -f csr/www.cylindric.net.csr.pem
cd $BASE/intermediate-ca
openssl ca \
-config openssl.cnf \
-gencrl \
-keyfile private/intermediate.key.pem \
-passin pass:intermediatepass \
-cert certs/intermediate.cert.pem \
-out crl/intermediate.crl.pem
openssl crl \
-inform PEM \
-in crl/intermediate.crl.pem \
-outform DER \
-out crl/intermediate.crl
Check the certificate was created correctly:
openssl verify -CAfile certs/ca-chain.cert.pem certs/www.cylindric.net.crt.pem
Verify with the CRL too:
openssl verify \
-crl_check \
-CAfile intermediate-ca/crl/intermediate.crl.pem \
certs/www.cylindric.net.crt.pem
Certificates should be combined in this order: