Client certificate

In mutual authentication, client certificates identify client devices to edge servers over TLS. To issue a TLS client certificate for your device, use the CA root certificate and its private key that you already generated. You need to create a separate client certificate for each client that you want to get access to the topics in your namespace configuration.

Before you begin

An example of content in a client.conf file

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
# subject distinguished name
distinguished_name = dn

[dn]
# country
C = US
# state
ST = California
# city
L = San Francisco
# organization
O = Organization
# organization unit
OU = IoT
# email
emailAddress = client1@test-xyz.com
# common name
CN = www.iot.test.com

[req_ext]
# subject alternative name
subjectAltName = @alt_names
# netscape comment
nsComment = "This is netscape comment"

[alt_names]
DNS.1 = test.example.com

All the files used in the task are in the same directory. The commands use these variables for the file names:

  • client1.key is the private RSA key of a client certificate.

  • client.conf is the configuration file for the client certificate.

  • client1.csr is the certificate signing request file.

  • rootCA.crt is the CA root certificate you previously created.

  • rootCA.key is the CA root private key that you previously created.

To create a Mutual Authentication client certificate:

  1. Create a private RSA key to sign the client certificate.

    You can use the following command: openssl genrsa -out client1.key 2048.

    A client1.key appears in your current directory.

  2. Use the client certificate private key and the client configuration file to create a certificate signing request (CSR).

    You can use the following command: openssl req -new -key client1.key -out client1.csr -config client.conf.

    A client1.csr file appears in your current directory.

  3. Verify that the CSR request has correct information.

    You can use the following command: openssl req -in client1.csr -noout -text.

  4. Use your CSR request, CA root certificate, CA root private key, and client certificate configuration file to generate a client certificate.

    You can use the following command: openssl x509 -req -in client1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client1.crt -days 500 -sha256 -extfile client.conf -extensions req_ext.

    A client1.crt file appears in your current directory.

  5. Verify that the client certificate has correct information.

    You can use the following command: openssl x509 -in client1.crt -text -noout.


Did this page help you?