Creating a client ca certificate using openssl – HP e-CommerceXML Accelerator sa7150 User Manual

C H A P T E R 3

Client Authentication

45

Verify the import by using the list map command again. Note that the
Client Auth column now shows client authentication for Map ID 2
enabled.

HP SA7150> list map
Map Net Ser Cipher Re- Client well
ID KeyID Server IP Port Port Suites direct Auth XML form
== ===== ========= ===== ==== ====== ===== ===== === ====
1 default Any 443 80 all(v2+v3) n n n N/A
2 sample 10.1.2.57 443 80 med(v2+v3) n y n N/A
HP SA7150>

Clients connecting to “map 2” are required to present a client
certificate signed by the CA whose certificate was imported above. If
they do not present a properly signed certificate, their connection
attempt is refused.

Creating a
Client CA
Certificate
using
OpenSSL*

Software packages are available that handle the details of client
certificate generation. However, you can also implement them
manually. The following example illustrates the appropriate steps
using OpenSSL*.

NOTE: To acquire a
copy of OpenSSL* for
your environment, access
the OpenSSL* Web site at
www.openssl.org.

1. Generate the key pair for the client CA.

openssl genrsa -out ca_key.pem 1024

2. Create another private key by typing this command.

openssl genrsa -out ca_key.pem 1024

3. Generate the client CA certificate.

openssl req -new -x509 -config hp.cnf -key

ca_key.pem -days 365 -out ca_cert.pem

NOTE: In this example,
ca_cert.pem is your
trusted CA and signing
certificate.

4. Use the import client_ca command to import ca_cert.pem for

each client.

1. Generate a key pair.

openssl genrsa -out key.pem 1024

2. Generate a certificate signing request.

openssl req -new -config hp.cnf -days 365 -

key key.pem -out csr.pem

3. Sign the client certificate request by typing this command.

openssl X509 -req -Cacreatserial -Cakey

ca_key.pem -CA ca_cert.pem -in csr.pem -out

cert.pem