RE: how to generate a client certificate for IIS4.0

Fri, 23 Mar 2001 07:54:53 -0800 

Nancho,

For every certificate I generate from script a custom .cnf file.
The relevant parts of the configuration file are: 
[ req ]
        prompt                  = no
        distinguished_name      = req_distinguished_name
        output_password         = <YOUR PASSWORD>
[ req_distinguished_name ]
        C                       = <COUNTRY>
        L                       = <TOWN>
        O                       = <COMPANY>
        OU                      = <ORG-UNIT>
        CN                      = <YOUR CN>
        emailAddress            = <YOUR E-MAIL>
...
[ CA_default ]
        ...
        x509_extensions         = usr_cert
        ...
...        
[ usr_cert ]
        basicConstraints        = CA:FALSE
        nsComment               = <Your comment here>
        nsCertType              = SSL Client,S/MIME,Object Signing
        keyUsage                = digitalSignature,keyEncipherment
        subjectKeyIdentifier    = hash
        authorityKeyIdentifier  = keyid,issuer:always

This is the singning part of what you're using:
> [ usr_cert ]
> #keyUsage=digitalSignature
> subjectKeyIdentifier=hash
> issuerAltName=URI:http://www.somesite.com/
> #issuerAltName=issuer:copy
> #extendedKeyUsage="TLS Web Client Authentication"

As you can see there are several differencies. 
I'm not sure anymore which extensions were critical to IIS (and IE5 as well
;-) because it is several months ago that I looked at it in depth. 
Suffice to say that I already issued more than 300 certificates using these
extensions and none of them were reported broken. (nearly all clients using
IE to connect to IIS)

The process of creating a certificate:
======================================
Generate CSR:
(the private key's password is set in the custom .cnf file)
$openssl req -new -config ${out_dir}/${username}.cnf -newkey rsa:512 \
        -keyout ${out_dir}/${username}.key -out ${out_dir}/${username}.csr \
        -days ${ssl_def_days}

Sign CSR:
openssl ca -batch -config ${out_dir}/${username}.cnf \
        -key \$PASS -policy policy_match -out ${out_dir}/${username}.crt \
        -infiles ${out_dir}/${username}.csr 

Create PKCS12 envelope:
openssl pkcs12 -in ${out_dir}/${username}.crt -inkey \
        ${out_dir}/${username}.key -passin pass:\$PASS \
        -out ${out_dir}/${username}.p12 -passout pass:\$PASS \
        -export -name ${username}

Good luck!

Gabor
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to