Hi
everybody,
I trying to do client authentication using self signed
CA and client certificates. I want to store the client
certificate in the ldap entries. The CA certificate is in the web server.
I followed the below mentioned steps
to
create the CA and client certificates :
CA
Certificate
#
generate the key for the certificate and store it in .key file
openssl genrsa -des3 -out $CA_DIR/CA.key 1024
openssl genrsa -des3 -out $CA_DIR/CA.key 1024
#
sign the request for the CA cert and store it in .csr
file
openssl
req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out
$CA_DIR/CA.crt
#
convert the cert into pkcs12 format so that it can imported into IE
openssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfx
Client Certificate
# generate the key for the client certificate and store it in User.key file
openssl genrsa -des3 -out $CLIENT_DIR/User.key 1024
# sign the request for the client cert and store it in User.csr file
openssl req -new -config $SSLDIR/openssl.cnf -key $CLIENT_DIR/User.key -out $CLIENT_DIR/User.csr
# generate the client cert and store it in UserID.crt
openssl ca -config $SSLDIR/openssl.cnf -cert $CA_DIR/CA.pem -in $CLIENT_DIR/User.csr -keyfile $CA_DIR/CA.key -out $CLIENT_DIR/User.crt
Now I am storing this client certificate in the ldap entry of the client/user. What I would like to know is, whether
openssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfx
Client Certificate
# generate the key for the client certificate and store it in User.key file
openssl genrsa -des3 -out $CLIENT_DIR/User.key 1024
# sign the request for the client cert and store it in User.csr file
openssl req -new -config $SSLDIR/openssl.cnf -key $CLIENT_DIR/User.key -out $CLIENT_DIR/User.csr
# generate the client cert and store it in UserID.crt
openssl ca -config $SSLDIR/openssl.cnf -cert $CA_DIR/CA.pem -in $CLIENT_DIR/User.csr -keyfile $CA_DIR/CA.key -out $CLIENT_DIR/User.crt
Now I am storing this client certificate in the ldap entry of the client/user. What I would like to know is, whether
the
private key of the client is also being stored in the certificate ? Because I
dont want the private key of the
client
certificate to be on the ldap. How to do it
?
Any
help please.
regards
Sarath