Eureka OL-8880-01 manual Converting a Client Certificate and Private Key to PKCS#12

Page 6

Chapter 2 Generating Certificates

Certificate Generation with Windows CA

Use the following command to display the server certificate:

openssl x509 –in ./ca/certs/client-cert.pem –text

Converting a Client Certificate and Private Key to PKCS#12

Use the following command sequence to convert a client certificate and private key to PKCS#12. This process is useful for importing a client certificate to a Windows PC for testing.

cat ./ca/certs/client-cert.pem ./ca/private/client-key.pem > ./ca/private/client-all.pem

openssl pkcs12 –export –in client-all.pem –out client-all.p12

Certificate Generation with Windows CA

This section provides examples of creating certificates using the Windows Certificate Authority (Windows CA). The Windows CA provides a web-based interface for requesting and retrieving certificates. The web forms permit you to create a new key pair or use an existing key, specify the desired certificate fields and attributes, and to submit the request to the CA for processing.

Note The Windows CA component is only available on Windows Server OS, not on client OS (such as Windows 2000 Pro or Windows XP). To generate certificates you will need a Windows Server set up and the Windows CA configured.

Usually an administrator will be required to manually review and grant or deny the request before the certificate can be accessed. (Windows CA can also be configured to automatically grant requests without administrator intervention.) The Certification Authority snap-in of the Microsoft Management Console (MMC) is used to review certificate requests and take the appropriate action. It can also be used for other purposes such as certificate revocation, renewal, etc.

After a certificate has been issued by the Windows CA it must be exported to a file so that it can be transported to the machine where it will be used. Although Windows can export certificates in DER or PEM format, if the corresponding private key is required (as it is for server and client certificates) then the certificate and private key will be bundled into a PKCS#12-formatted file. Since the required format for our purposes is PEM, the PKCS#12 content must be reformatted appropriately.

The following examples show an extremely simple certificate hierarchy consisting of two levels and three certificates. Most realistic certificate hierarchies will contain one or more levels of intermediate CA certificates. Since the root-level certificate is created when the Windows CA product is installed and configured, those steps are not shown here. The examples assume that the Windows CA has been configured for standalone operation, but the steps are essentially the same for other configurations.

The following examples assume that the Windows Certificate Authority product has been installed and configured. Since the exact installation steps vary depending on the version of Windows Certificate Authority and its configuration, those steps are not shown here. Refer to the appropriate Microsoft documentation for information about how to install Windows Certificate Authority.

WLSE Express AAA Server Certificate Configuration Guide

2-6

OL-8880-01

 

 

Page 5 Page 7
Image 6
Page 5 Page 7
Contents RSA Key Generation Certificate Request CreationOpenssl.cnf Configuration File Certificate Generation Export Opensslconf /opts/open/openssl.cnf Example openssl.cnf FileCreating a CA Directory Required Certificate ExtensionsCreating Test Certificates and Keys Creating a Self-signed CA Root Certificate and RSA KeyCreating a Server Certificate from the Request Converting a CA Certificate to PKCS#12Creating a Server Certificate Request and RSA Key Creating a Client Certificate RequestConverting a Client Certificate and Private Key to PKCS#12 Openssl x509 -in ./ca/certs/client-cert.pem -textGenerating a Server Certificate Select Request a Certificate and click NextSelect Advanced request and click Next Selecting Certificate Request TypeKey Options section, select Mark keys as exportable Advanced Certificate Request Form Generating a Client Certificate Certificate PendingExample of Client Certificate Request Form Certificate Retrieval Click Next to proceedCheck Pending Certificate Requests Click Install this certificate to continue 11 Certificate IssuedExporting Server and Client Certificates Select Internet Options…Click Certificates 13 Certificates Dialog 15 Export Private Key After entering the file name, click Next to continue Exporting CA Certificates 19 Completing the Certificate Export21 Certificates to Export Converting PKCS#12 to PEM Openssl pkcs12 -in server.pfx -out server.pemEND Certificate OL-8880-01
Top Page Image Contents