A P P E N D I X B
Generating a Client CA
NOTE: To acquire a
copy of OpenSSL* for
your environment, access
the OpenSSL website at
http://www.openssl.org.
NOTE: The DN
information typed in step
5 must differ from the DN
information typed in step
6.
This procedure shows how to generate a client CA using OpenSSL:
1. Create a working directory where all the keys and certificates
will be stored.
2. Copy the file openssl.cnf from the openSSL source directory.
3. Create a private key by typing this command:
openssl genrsa -out key.pem 1024
4. Create another private key by typing this command:
openssl genrsa -out ca_key.pem 1024
5. Now generate the client CA by typing this command:
openssl req -new -x509 -config openssl.cnf -key
ca_key.pem -out ca_cert.pem
6. Generate the client certificate signing request by typing this
command:
openssl req -new -config openssl.cnf -key
key.pem -out csr.pem
7. Sign the client certificate request by typing this command:
openssl x509 -req -CAcreateserial -CAkey
ca_key.pem -CA ca_cert.pem -in csr.pem -out
cert.pem
8. Combine the key.pem and cert.pem keys into one file by
typing this command:
cat key.pem cert.pem > all.pem
9. Convert to p12 format by typing this command:
openssl pkcs12 -export -in all.pem -out
<file>.p12 -name "MY NAME"
The output file <file>.p12 will be imported into the browser
as a personal certificate.
Generating a Client CA
263