How to create client certificates with CFSSL.
This article carries on from the CA setup article, so the setup from that is assumed to be in place.
We'll refer to the base directory as
$BASE everywhere, just to make it clear where each step is looking.
It is possible to just let the
openssl req prompt for these details, but I like to pre-configure them for easy re-use. It also allows you to define the Subject Alternative Names, which is now pretty much mandatory.
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = GB stateOrProvinceName = Surrey localityName = Camberley organizationName = CylCorp commonName = www.cylindric.net [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.cylindric.net IP.1 = 188.8.131.52
cd $BASE openssl genrsa \ -out certs/www.cylindric.net.key.pem 2048 chmod 400 certs/www.cylindric.net.key.pem
cd $BASE openssl req \ -new \ -sha256 \ -config certificate-configs/www.cylindric.net.cnf \ -key certs/www.cylindric.net.key.pem \ -out intermediate-ca/csr/www.cylindric.net.csr.pem
cd $BASE/intermediate-ca openssl ca \ -batch \ -config openssl.cnf \ -notext \ -in csr/www.cylindric.net.csr.pem \ -passin pass:intermediatepass \ -out ../certs/www.cylindric.net.crt.pem rm -f csr/www.cylindric.net.csr.pem
cd $BASE/intermediate-ca openssl ca \ -config openssl.cnf \ -gencrl \ -keyfile private/intermediate.key.pem \ -passin pass:intermediatepass \ -cert certs/intermediate.cert.pem \ -out crl/intermediate.crl.pem openssl crl \ -inform PEM \ -in crl/intermediate.crl.pem \ -outform DER \ -out crl/intermediate.crl
Check the certificate was created correctly:
openssl verify -CAfile certs/ca-chain.cert.pem certs/www.cylindric.net.crt.pem
Verify with the CRL too:
openssl verify \ -crl_check \ -CAfile intermediate-ca/crl/intermediate.crl.pem \ certs/www.cylindric.net.crt.pem
Certificates should be combined in this order: