Table of Contents / Create the Signing CA / Create a Client Certificate
-
cd into the SigningCA directory:
cd C:/Certificates/DoD/CA/Signing
-
Create a Client private key
openssl genrsa -aes256 -out private/<username>.key 2048
Note: Replace
<username>.key.pem
with something likeSmith.John.A.key.pem
that makes a valid windows filename.Enter a secure password
-
Create a certificate signing request.
openssl req -config signingca.cnf -key private/<username>.key -new -sha256 -out csr/<username>.csr.pem
Enter the password you created for the private key
-
Keep using the signing CA to sign the client certificate request.
openssl ca -config signingca.cnf -extensions usr_cert -days 365 -notext -md sha256 -in csr/<username>.csr.pem -out public/<username>.cer
Note: Be sure to use the Signing CA's password to sign the certificate request.
Select
y
to sign the certificateSelect
y
to commit the certificate -
Verify the cert:
openssl x509 -noout -text -in public/<username>.cer
The X509v3 Extended Key Usage should say
Client Authentication
&Email Protection
Table of Contents / Create the Signing CA / Create a Client Certificate