Create a Mutual Authentication client certificate
In mutual authentication, client certificates identify client devices to edge servers over TLS. To issue a TLS client certificate for your device, use the CA root certificate and its private key that you already generated. You need to create a separate client certificate for each client that you want to get access to the topics in your namespace configuration.
Before you begin
- Make sure your environment meets the minimum requirements to complete this procedure. See System requirements.
- Make sure that you have a CA root certificate and a CA root private key. See Create a Mutual Authentication root certificate.
- Prepare a client configuration
file.
An example of content in a client.conf file [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext # subject distinguished name distinguished_name = dn [dn] # country C = US # state ST = California # city L = San Francisco # organization O = Organization # organization unit OU = IoT # email emailAddress = client1@test-xyz.com # common name CN = www.iot.test.com [req_ext] # subject alternative name subjectAltName = @alt_names # netscape comment nsComment = "This is netscape comment" [alt_names] DNS.1 = test.example.com
All the files used in the task are in the same directory.
The commands use these variables for the file names:
- client1.key is the private RSA key of a client certificate.
- client.conf is the configuration file for the client certificate.
- client1.csr is the certificate signing request file.
- rootCA.crt is the CA root certificate you previously created.
- rootCA.key is the CA root private key that you previously created.