Creating a client ca certificate using openssl – HP e-Commerce Server Accelerator sa7120 User Manual

C H A P T E R 3 HP e-Commerce Server Accelerator SA7100/SA7120 User Guide

28

Verify the import by using the list map command again. Note that the
Client Auth column now shows client authentication for Map ID 2
enabled.

HP SA7120> list map

Map Net Ser Cipher Re- Client

ID KeyID Server IP Port Port Suites direct Auth

== ===== ========= ==== ==== ====== ===== ====

1 default Any 443 80 all(v2+v3) n n

2 sample 10.1.2.57 443 80 med(v2+v3) n y

Clients connecting to “map 2” are required to present a client
certificate signed by the CA whose certificate was imported above. If
they do not present a properly signed certificate, their connection
attempt is refused.

Creating a
Client CA
Certificate
using
OpenSSL*

There are software packages available that handle the details of client
certificate generation, however, you can implement them manually.
The following example illustrates the appropriate steps using
OpenSSL*:

1. Generate the key pair for the client CA:

openssl genrsa -out ca_key.pem 1024

To acquire a copy of OpenSSL* for your environment, access the
OpenSSL* Web site at www.openssl.org.

NOTE: Generate the
client CA certificate:

openssl req -new -x509 -config hp.cnf -key

ca_key.pem -days 365 -out ca_cert.pem

NOTE: In this example,
ca_cert.pem is your
trusted CA and signing
certificate.

2. Using the import client_ca command, import ca_cert.pem

For each client:

1. Generate a key pair:

openssl genrsa -out key.pem 1024

2. Generate a certificate signing request:

openssl req -new -config hp.cnf -days 365

-key key.pem -out csr.pem