Create a Mutual Authentication client certificate

In mutual authentication, client certificates identify client devices to edge servers over TLS. To issue a TLS client certificate for your device, use the CA root certificate and its private key that you already generated. You need to create a separate client certificate for each client that you want to get access to the topics in your namespace configuration.

Before you begin

  • Make sure your environment meets the minimum requirements to complete this procedure. See System requirements.
  • Make sure that you have a CA root certificate and a CA root private key. See Create a Mutual Authentication root certificate.
  • Prepare a client configuration file.
    An example of content in a client.conf file
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    # subject distinguished name
    distinguished_name = dn
     
    [dn]
    # country
    C = US
    # state
    ST = California
    # city
    L = San Francisco
    # organization
    O = Organization
    # organization unit
    OU = IoT
    # email
    emailAddress = client1@test-xyz.com
    # common name
    CN = www.iot.test.com
     
    [req_ext]
    # subject alternative name
    subjectAltName = @alt_names
    # netscape comment
    nsComment = "This is netscape comment"
     
    [alt_names]
    DNS.1 = test.example.com

All the files used in the task are in the same directory. The commands use these variables for the file names:
  • client1.key is the private RSA key of a client certificate.
  • client.conf is the configuration file for the client certificate.
  • client1.csr is the certificate signing request file.
  • rootCA.crt is the CA root certificate you previously created.
  • rootCA.key is the CA root private key that you previously created.

How to

  1. Create a private RSA key to sign the client certificate.
    You can use the following command: openssl genrsa -out client1.key 2048
    A client1.key appears in your current directory.
  2. Use the client certificate private key and the client configuration file to create a certificate signing request (CSR).
    You can use the following command: openssl req -new -key client1.key -out client1.csr -config client.conf
    A client1.csr file appears in your current directory.
  3. Verify that the CSR request has correct information.
    You can use the following command: openssl req -in client1.csr -noout -text
  4. Use your CSR request, CA root certificate, CA root private key, and client certificate configuration file to generate a client certificate.
    You can use the following command: openssl x509 -req -in client1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client1.crt -days 500 -sha256 -extfile client.conf -extensions req_ext
    A client1.crt file appears in your current directory.
  5. Verify that the client certificate has correct information.
    You can use the following command: openssl x509 -in client1.crt -text -noout