Client Certificate CA Setup and Signing

2 minute read

Previously, I wrote about the promise of using Client SSL Certificates for authentication. With this post, we start down the road of actually putting this in practice.

The first step is to set up a Certificate Authority (CA). That sounds fancy, but it’s really just a key pair where the private key is used to sign a client’s public key in the form of certificate that’s later used for verification between the browser and the server.

The process of generating a CA is simple:

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem

Be sure to keep CA.key secure. You will need it on the server if you want to auto create the client certificates, but in effect it’s the root password for you app, so treat it as such!

The CA is used for signing the client’s public key. In simple terms the process is composed of two parts:

A signing algorithm is used to create a signature, really just a blob of data created from the data to be signed (in this case the client’s public key) and the signer’s private key (in this case the CA key).

Given the original data, the signers public key, and the signature a signature verifying algorithm can verify that the signer’s private key created that signature.

The math is complex, but the Wikipedia in-depth write-up on how Digital signatures work.

For the purposes of a web application that generates client certificates, we can stop right here. However, do get a sense of the flow, let’s walk through the rest of the process.

Creating a client certificate is a three step process.

  1. Generate a public key pair for the client.
  2. Generate a Certificate Signing Request (CSR) from the public key.
  3. Sign the CSR with the CA key creating the client certificate.

Later we’ll do this in Ruby, but process using the openssl command line tool looks like this:

Create a key-pair:

openssl genrsa -out alice.key 2028

Use that key to create the CSR:

openssl req -new -key alice.key -out alice.csr

You’ll be prompted for a bunch information, the defaults are fine we’re not going to be using this for anything.

Finally, use the CA to sign the CSR, generating the client certificate:

openssl ca -cert CA.pem -keyfile CA.key -in alice.csr -out alice.crt

However, if you actually run that, it will fail. Before you can use the ca command, you need a bunch of configuration. It needs a database to keep track of issued and revoked certificates, and a handful of other details. That additional configuration and infrastructure that’s beyond the scope of this post and completely unnecessary for how we’re going to use client certificates.

However, for now you can get close to what we’re going to do with:

openssl x509 -sha256 -req -in alice.csr -out alice.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095

Now that we have the CA files, we’ll use them in the next post configure Apache.

  1. Introduction
  2. Ca Setup and Signing (you’re reading it)
  3. Apache Configuration
  4. Client Certificate Generation in Ruby
  5. Best practices

Tags:

Updated:

Comments