Creating A Client Ca Certificate Using Openssl - HP P4518A - Traffic Management Server Sa7150 User Manual

C H A P T E R 3
Creating a
Client CA
Certificate
using
OpenSSL*
NOTE: To acquire a
copy of OpenSSL* for
your environment, access
the OpenSSL* Web site at
www.openssl.org.
NOTE: In this example,
ca_cert.pem is your
trusted CA and signing
certificate.
Client Authentication
Verify the import by using the list map command again. Note that the
Client Auth column now shows client authentication for Map ID 2
enabled.
HP SA7150> list map
Map
ID KeyID Server IP Port
== ===== ========= ===== ==== ====== =====
1 default Any
2 sample 10.1.2.57 443
HP SA7150>
Clients connecting to "map 2" are required to present a client
certificate signed by the CA whose certificate was imported above. If
they do not present a properly signed certificate, their connection
attempt is refused.
Software packages are available that handle the details of client
certificate generation. However, you can also implement them
manually. The following example illustrates the appropriate steps
using OpenSSL*.
1. Generate the key pair for the client CA.
openssl genrsa -out ca_key.pem 1024
2. Create another private key by typing this command.
openssl genrsa -out ca_key.pem 1024
3. Generate the client CA certificate.
openssl req -new -x509 -config hp.cnf -key
ca_key.pem -days 365 -out ca_cert.pem
4. Use the import client_ca command to import ca_cert.pem for
each client.
1. Generate a key pair.
openssl genrsa -out key.pem 1024
2. Generate a certificate signing request.
openssl req -new -config hp.cnf -days 365 -
key key.pem -out csr.pem
3. Sign the client certificate request by typing this command.
openssl X509 -req -Cacreatserial -Cakey
ca_key.pem -CA ca_cert.pem -in csr.pem -out
cert.pem
Net Ser Cipher Re-
Port Suites direct Auth
443 80 all(v2+v3) n
80 med(v2+v3) n
Client well
XML form
===== === ====
n n N/A
y n N/A
45