Friday, July 1, 2011

Creating server/client certificate pair using OpenSSL.

The server/client certificate pair can be used when an application trying to access a web service which is configured to authenticate the client application using the client ssl certificates.

You can follow steps below to create server and client certificate using OpenSSL.

Before creating server/ client certificate, we need to setup a self-signed Certificate Authority (CA) which can be used to sign the server/client certificates. First two steps will set up the CA. To create directory structure needed to setup CA please see here.

  1. Create a private key of CA.
openssl genrsa -des3 -out  Keys/RootCA.key 2048

  1. Create self-signed certificate of CA.
openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt

  1. Create private key for the server.
openssl genrsa -des3 -out Keys/server.key 2048

  1. Create CSR for the server.
openssl req -config openssl.cnf -new -key Keys/server.key -out CSR/server.csr

  1. Create server certificate.
openssl ca -config openssl.cnf -days 360 -in CSR/server.csr -out Certificates/server.crt -keyfile Keys/RootCA.key -cert Certificates/RootCA.crt -policy policy_anything

  1. Create private key for the client.
openssl genrsa -des3 -out Keys/client.key 2048

  1. Create CSR for the client.
openssl req -config openssl.cnf -new -key Keys/client.key -out CSR/client.csr

  1. Create client certificate.
openssl ca -config openssl.cnf -days 360 -in CSR/client.csr -out Certificates/client.crt -keyfile Keys/RootCA.key -cert Certificates/RootCA.crt -policy policy_anything

  1. Finally export the client certificate to pkcs format.
openssl pkcs12 -export -in Certificates/client.crt -inkey Keys/client.key -certfile Certificates/RootCA.crt -out Certificates/clientcert.p12

Please provide your comments and suggestions to improve the post.



  1. Step 5 is not working says:-
    Using configuration from /etc/pki/tls/openssl.cnf
    I am unable to access the ../../CA/newcerts directory
    ../../CA/newcerts: No such file or directory

    1. Thanks for your comment. Yes my dir structure was not consistent in all the commands. Now I have corrected them.
      But that is not the only problem. I forgot to mention one point in my blog.
      The default dir in OpenSSL conf file is "certs". Since we have changed it to "Certificates", we need to change the same in the "openssl.cnf" file as well. Please change the below two lines in your conf file.

      certs = Certificates
      new_certs_dir = Certificates

  2. I'm reading your article in about "Creating SSL Certificates using OpenSSL.NET".

    I get problem when add the reference "ssleay32.dll" and "libeay32.dll" to VS2010(framework 4.0). I get message as follow: "Could not load file or assembly 'libeay32.dll' or one of its dependencies. The module as expected to contain an assembly manifest. This file may not be a managed assembly."

    Any suggestion, thank you.

  3. HI ManMohan
    I am new here so please correct me if I am wrong.

    1)A certificate is a public key.
    2) We created a private key and CSR with Private key and self Signed CA cert
    3) we created Server side KEY, CSR and Cert
    4) we created client side KEY CSR and CERT

    Now in server which cert we need to keep to authenticate client cert.
    Is CACERT just not enough? why did we do server side cert step?

    1. Hi,
      Basically Server certificates (more common) are used for authentication purpose of the server. To state if server you are connecting to is authentic or not. But the client certificates are the certificates which are used by clients to pass there identity to the server so that they can validate origin of the request.