Root certificate
Create a Mutual Authentication root certificate
To properly configure Mutual Authentication, you need to create a root certificate that you want to use to create and validate client certificates.
Before you begin
-
Make sure your environment meets the minimum requirements to complete this procedure. See System requirements.
-
Prepare a CA root certificate configuration file.
An example of content in a root.conf file
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
x509_extensions= v3_ca
# subject distinguished name
distinguished_name = dn
[dn]
# country
C = US
# state
ST = Massachusetts
# city
L = Cambridge
# organization
O = Organization
# organization unit
OU = IoT
# email
emailAddress = test@email.com
# common name
CN = www.organization.test.com
[req_ext]
# subject alternative name
subjectAltName = @alt_names
# netscape comment
nsComment = "This is netscape comment"
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[alt_names]
DNS.1 = test.example.com
All the files used in the task are in the same directory. The commands use these variables for the file names:
-
root.conf
is the configuration file for the CA root certificate. -
rootCA.crt
is the CA root certificate you previously created. -
rootCA.key
is the CA root private key that you previously created.
How to
-
Create a certificate key for your domain.
You can use the following command:
openssl genrsa -des3 -out rootCA.key 4096
.A
rootCA.key
appears in your current directory. -
Using your CA root certificate key and the CA root configuration file, generate the CA root certificate.
Make sure to set the
basicConstraints
value in theroot.conf
file toCA:true
. This value indicates whether a certificate is a CA certificate.You can use the following command:
openssl req -x509 -config root.conf -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
.A
rootCA.crt
file appears in your current directory. -
Upload the Mutual Authentication root certificate.
Upload a Mutual Authentication root certificate
To use Mutual Authentication, you need to create a certificate set and connect it with your certificates in Certificate Provisioning System (CPS).
Before you begin, use mTLS Edge Truststore to create a certificate set. Follow mTLS Edge Truststore.
-
Go to ☰ > CDN > Certificates.
-
Select the certificate that you want to use for Mutual Authentication.
-
From the certificate's Actions menu, select View and Edit Deployment Settings.
-
In the Mutual Authentication section, click Edit.
-
From the Certificate set menu, select a certificate set.
-
Click Submit.
Your certificate redeploys to the Akamai network with the new settings.
Updated about 1 year ago