Prepare self-signed root CA and client certificates
This tutorial shows how to create a self-signed root certificate authority (CA) and use it to sign a client certificate.
NOTE: This solution is not recommended for production purposes.
Prepare a client root CA
Export the following values as environment variables:
Click to copyexport CLIENT_ROOT_CA_CN={ROOT_CA_COMMON_NAME}export CLIENT_ROOT_CA_ORG={ROOT_CA_ORGANIZATION}export CLIENT_ROOT_CA_KEY_FILE=${CLIENT_ROOT_CA_CN}.keyexport CLIENT_ROOT_CA_CRT_FILE=${CLIENT_ROOT_CA_CN}.crtGenerate a client root CA and a client certificate:
Click to copy# Create a root CA key and a certificate that's valid for one year - you can use it for validationopenssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=${CLIENT_ROOT_CA_ORG}/CN=${CLIENT_ROOT_CA_CN}' -keyout ${CLIENT_ROOT_CA_KEY_FILE} -out ${CLIENT_ROOT_CA_CRT_FILE}
Prepare client certificate
Export the following values as environment variables:
Click to copyexport CLIENT_CERT_CN={COMMON_NAME}export CLIENT_CERT_ORG={ORGANIZATION}export CLIENT_CERT_CRT_FILE=${CLIENT_CERT_CN}.crtexport CLIENT_CERT_CSR_FILE=${CLIENT_CERT_CN}.csrexport CLIENT_CERT_KEY_FILE=${CLIENT_CERT_CN}.keyGenerate a client certificate and sign it with the root CA:
Click to copy# Create a new key and CSR for the client certificateopenssl req -out ${CLIENT_CERT_CSR_FILE} -newkey rsa:2048 -nodes -keyout ${CLIENT_CERT_KEY_FILE} -subj "/CN=${CLIENT_CERT_CN}/O=${CLIENT_CERT_ORG}"# Sign the client certificate with the Client Root CA certificateopenssl x509 -req -days 365 -CA ${CLIENT_ROOT_CA_CRT_FILE} -CAkey ${CLIENT_ROOT_CA_KEY_FILE} -set_serial 0 -in ${CLIENT_CERT_CSR_FILE} -out ${CLIENT_CERT_CRT_FILE}