Thursday, November 23, 2017

Create a client certificate signed by a CA certificate

#!/bin/bash

#script to generate client cert-key pair signed by ca cert-key pair

#create cert signing request
openssl req -nodes -keyout anil.ca.key -subj "/C=US/ST=IL/L=Chicago/O=testers unlimited/OU=tester/CN=clisigner/emailAddress=clisigner@signer.com" -new -out anil.ca.cert.csr

###Generate the certificate using csr
openssl x509 -in anil.ca.cert.csr -out anil.ca.cert -req -signkey anil.ca.key -days 365

#create cert signing request for client cert
openssl req -nodes -keyout anil.cli.key -subj "/C=US/ST=IL/L=Chicago/O=testers unlimited/OU=tester/CN=client/emailAddress=client@client.com" -new -out anil.cli.cert.csr
###Generate the certificate using csr
openssl x509 -in anil.cli.cert.csr -out anil.cli.cert -req -signkey anil.cli.key -CA anil.ca.cert -CAkey anil.ca.key -days 365 -CAcreateserial


## verify certificate signature
openssl verify -verbose -CAfile anil.ca.cert anil.cli.cert


echo " Netscaler does not accept private key in format generated above"
echo "So, use this command to encrypt it"
echo "openssl rsa -in anil.ca.key -passout pass:123456 -des3 -out anil.ca.key2"