Basic Client Cert

How to create client certificates with CFSSL.

This article carries on from the CA setup article, so the setup from that is assumed to be in place.

We'll refer to the base directory as $BASE everywhere, just to make it clear where each step is looking.

Client Certificates

Create a Config

It is possible to just let the openssl req prompt for these details, but I like to pre-configure them for easy re-use. It also allows you to define the Subject Alternative Names, which is now pretty much mandatory.

Create $BASE/certificate-configs/

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
countryName         = GB
stateOrProvinceName = Surrey
localityName        = Camberley
organizationName    = CylCorp
commonName          =

[ req_ext ]
subjectAltName = @alt_names

DNS.1 =
IP.1  =

Create a Key

cd $BASE

openssl genrsa \
        -out certs/ 2048

chmod 400 certs/

Create a signing-request

cd $BASE

openssl req \
        -new \
        -sha256 \
        -config certificate-configs/ \
        -key certs/ \
        -out intermediate-ca/csr/

Sign the certificate

cd $BASE/intermediate-ca

openssl ca \
        -batch \
        -config openssl.cnf \
        -notext \
        -in csr/ \
        -passin pass:intermediatepass \
        -out ../certs/

rm -f csr/

Update the CRL

cd $BASE/intermediate-ca
openssl ca \
        -config openssl.cnf \
        -gencrl \
        -keyfile private/intermediate.key.pem \
        -passin pass:intermediatepass \
        -cert certs/intermediate.cert.pem \
        -out crl/intermediate.crl.pem

openssl crl \
        -inform PEM \
        -in crl/intermediate.crl.pem \
        -outform DER \
        -out crl/intermediate.crl


Check the certificate was created correctly:

openssl verify -CAfile certs/ca-chain.cert.pem certs/

Verify with the CRL too:

openssl verify \
    -crl_check \
    -CAfile intermediate-ca/crl/intermediate.crl.pem \

Certificate including CA chain

Certificates should be combined in this order:

  1. Primary certificate
  2. Intermediate certificate
  3. Root certificate