Skip to main content

Tutorial: Create client certificate

This tutorial shows how to use the createclientcert.py script to create a client key pair (client key and client certificate) signed by your own CA certificate. This will allow the client to authenticate with a server. The client certificate replaces a username and password. Private key generation should only be done by the subject of the certificate. This example assumes you have administrator privileges on the subject machine.  If the certificate is intended for another individual, that individual should generate their own private key and a certificate signing request, and present only the certificate signing request to the CA, who then generates the certificate.

Note

NEW 2023-12-04 Client certificates can be created but can only be implemented with the FairCom ISAM interface.

Optional steps

  1. Navigate to the <faircomInstallationDirectory>/drivers/certificates folder.

  2. At the command prompt, run the python createclientcert.py command.

    You are prompted for the certificate validity duration in months. This is based on the current date.

  3. Enter the desired number of months.

    You are prompted for the hostname. This can be found by running the hostname command on the server. Windows, Linux, and MacOS all have the same command.

    The hostname is used as both the Common Name and the filename for the certificate.

  4. Enter the hostname.

    You are prompted for a filename containing the IP addresses and DNS names that will be included in the certificate Subject Alternative Name (SAN) list. The file should have one address per line.

  5. If you prefer to be prompted for these addresses, do not type anything here but press the Enter key instead, and you will be prompted for individual addresses. When done entering addresses manually, press Enter on a blank line to indicate you are done.

    Note

    The Subject Alternative Name list in a client certificate is sometimes used as an additional way to identify the client. This can provide flexibility for servers that may not use the Common Name to identify clients.

    A summary is displayed of all command-line options and values that will be used when the command to perform this operation is run. You may want to make a copy of this information, so you can repeat this exact run in the future. Only the serial number will be different.

  6. Press Enter to create the key pair files.

    The CA key pair is loaded and the server key pair is generated and saved.

    Note

    The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

  7. Press Enter to exit.