The Pragmatic Addict

lighttpd client certificates

Much of this is referenced from Schnouki. I tweaked things a bit to fit my setup.

Setup the OpenSSL environment

mkdir ssl
cd ssl
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/crl

echo "00" > demoCA/serial
echo "00" > demoCA/crlnumber
touch demoCA/index.txt
cp /etc/ssl/openssl.cnf .

Generate CA key

openssl genrsa -out demoCA/cakey.pem 2048
openssl req -new -x509 -days 3650 -key demoCA/cakey.pem -out demoCA/cacert.pem

Create client cert request (set CA to username)

openssl genrsa -out clientkey.pem 2048
openssl req -config openssl.cnf -new -key clientkey.pem -out client.csr

Process the cert request

openssl ca -batch -config openssl.cnf -days 3650 -in client.csr -out clientcert.pem -keyfile demoCA/cakey.pem -cert demoCA/cacert.pem -policy policy_anything 
openssl pkcs12 -export -in clientcert.pem -inkey clientkey.pem -certfile demoCA/cacert.pem -out client.p12

Created: 2024-05-21 Modified: 2024-06-04