There are scenarios that require you to implement your own private Certificate Authority (CA), such as VPNs, internal web servers, or client authentication to web servers.
This is the second article in a four part series, that explains how to generate a Root Certificate, Client Certificates and Server Certificates, for authentication. In this article, you will learn how to use a tool called XCA to create the Client Certificate, signed using an Intermediate Root Certificate from the previous article in this series.
Assumptions
- Download XCA from http://sourceforge.net/projects/xca/
- Install XCA (Admin Privilege Required)
- Create a Root Certificate, using XCA
- Create an Intermediary Certificate, signed with Root Certificate.
Create a Client Certificate
1. Click File->Open Database
2. Select the database file (.xdb)
3. Click the Open button
4. Go to the "Certificate Signing Request" tab
5. Set signature algorithm to SHA256
6. Change template for new certificate to <Company Name> template (created earlier)
7. Click "Apply Subject"
8. Go to the "Subject" tab
9. Verify that the information is populated correctly
10. Click "Generate a new key"
11. Add the client name (e.g. john@example.com), keytype of RSA, and keysize of 2048 bit
12. Click Create
13. Update the common name to "Client Certificate", or some other identifiable name
14. Go to the "Key Usage" tab
15. Select Digital Signature in the Key Usage panel, and select "TLS Web Client Authentication" in the Extended Key panel
16. Go to the "Advanced" tab, and after verifying the information, click OK
17. Click OK
18. Right-click on the new client certificate signing request, and select "Sign"
19. Change "Signing" option to "Use this certificate for signing" and select "Intermediary Certificate"
20. Change template for certificate to "Company Name", and click "Apply Subject"
21. Go to the "Extensions" tab
22. Change Time Range to 2 years, and click "Apply"
23. Go to the "Advanced" tab, and verify the information
24. Click OK
25. The new client certificate can be viewed in the Certificates tab, below the intermediary certificate.
Congratulations!
You have just created your first client certificate!
See all the articles in this series:
- Create a Root Certificate
- Create a Client Certificate
- Create a Server Certificate
- Export a Client Certificate
