<< Back to Part 2
5. Connect from Client.
From client, I'll use IE to connect to both webserver by IP address.
Of course, there will be error message because the both servers require client certificates.
Let's make it.
5.1 Make Client Certificate :
Generate the PrivateKey for client.
CAServer# openssl genrsa -out Client.key 1024
Generating RSA private key, 1024 bit long modulus
Generating RSA private key, 1024 bit long modulus
........................................................................++++++
.++++++
e is 65537 (0x10001)
Generate the Certificate Request file for the client with the upper privatekey.
CAServer# openssl req -out Client.req -key Client.key -new -days 365
You are about to be asked to enter information that will be incorporated
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Client Browser
Organizational Unit Name (eg, section) []:Client Browser
Common Name (eg, your name or your server's hostname) []:Client Browser
Email Address []:
Show the information of the Client Request file.
CAServer# openssl req -subject -noout -in Client.req
subject=/C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser
Sign the Client.req by rootCA Certificate.
Signature ok
subject=/C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser
Getting CA Private Key
and We've got the file Client.cert
Let have a check on it.
CAServer# openssl x509 -subject -issuer -noout -in Client.cert
subject= /C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser
subject= /C=XX/L=Default City/O=Client Browser/OU=Client Browser/CN=Client Browser
issuer= /C=XX/L=Default City/O=Default Company Ltd/CN=rootCA
You need to convert this pair (Client.cert & Client.key) into .pfx format to make it usable.
CAServer# openssl pkcs12 -export -inkey Client.key -in Client.cert -out Client.pfx -nodes
Enter Export Password:
Enter Export Password:
Verifying - Enter Export Password:
Enter some password to protect it.
5.2 import the client.pfx to browser :
Copy the file Client.pfx and rootCA.cert to the Client.
Rename the rootCA.cert to rootCA.cer and open it.
Rename the rootCA.cert to rootCA.cer and open it.
Install it to the Trusted Root Certification Authorities \ Local Computer.
We've done.
So, how does it work ?
- The both webservers and client have trusted the rootCA (by installing rootCA.cert into the Trusted Root Certification Authorities)
- The Apache Server used Certificate signed by rootCA, and it does required client certificate.
- The IIS Server used Certificate signed by rootCA, and it does required client certificate.
- When the client provides its certificate (signed by rootCA), the webserver will accept it because of (1.)
6. [Update !!!] Create and Sign Certificate with openssl v3 extensions :
To generate or sign an v3 SSL Cert :
CAServer# openssl x509 -in Apache.req -out Apache.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial -extfile /etc/pki/tls/openssl.cnf -extensions v3_req
Verify cert after Signing :
CAServer# openssl x509 -in Apache.cert -text -noout