Skip to main content

createclientcert.py

Create a client certificate using the createclientcert.py script in FairCom Certificate Manager

Abstract

create a client certificate using the createclientcert.py script in FairCom certificate manager

This script creates a client certificate and its private key to use instead of a username and password when logging into a FairCom server. Register the client certificate with client application software.

Important

Before running createclientcert.py, create a CA certificate using createcacert.py .

A company's CA administrator typically creates client certificates to authenticate user and software accounts.

Easy

Run the Python script createclientcert.py without command-line arguments, and it prompts you for the following information:

  • Username of the account this client certificate will authenticate

  • Password to protect the private key embedded in the certificate file

  • Number of months until this client certificate expires

  • Optional TCP/IP addresses and/or DNS names of client computers where this client certificate is allowed to be used. (Note: Leave this blank if your version does not support this)

  • Optional information about your company. Some of this might be filled in automatically from information you entered during previous runs of these 'certificate manager' scripts.

Note

This is a summary of what is displayed. It does not show everything that is displayed.

Welcome to FairCom Client TLS Key Pair Creator
For help, run this program with the '-h' option.

The 'Common Name' of a client certificate is typically used by the server as a username.
Enter the Common Name of the client (this will be used as part of the file names): __________
Enter a passphrase to encrypt the key data, or ENTER to leave the key unsecured.
Use only 7-bit ASCII characters: __________

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
    such as operating systems, browsers, and other software.
Months [13]: __________
Enter a filename that contains IP addresses and DNS names, or press ENTER to be prompted for this information:
Enter one IP address or DNS name and press ENTER to enter another.  Pressing ENTER on an empty line will terminate address entry.
  Enter a new IP address or DNS name: __________
  Enter a new IP address or DNS name: __________
Done collecting IP addresses and DNS names.
Enter an optional two-letter country code where your company is located: __________
Enter an optional state/province where your company is located: __________
Enter an optional city where your company is located: __________
Enter an optional department within your organization: __________
Enter an optional email address to associate with this certificate: __________
Loading the CA key from 'Certs\_ca_key\ca.key'
Loading the CA certificate from 'Certs\Expires_On_date\ca.crt'

Successfully created and saved 1 of 1 files:

The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

The "Expires_On_ . . . .\______Client.pem" file contains the private key and the public certificate for one client. This file should be copied to the machine that is operated by that client. Because it contains the private key, it should NOT be shared.

Advanced

Run the Python script createclientcert.py with command-line parameters:

python createclientcert.py --certManagementFolder Certs --commonName "MyCompany Private Certificate Authority" --country US --location Columbia --months 13 --org MyCompany --state Missouri --unit IT

Command-line options

usage: createclientcert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]] [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]] [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]                       [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]                       [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]

options:
  -h, --help
         show this help message and exit
  --altName [ALTNAME ...]
         A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
         A filename to load Subject Alternative Names from. One entry per line. Will be ignored if --altName is present.
  --bits [BITS]
         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
         The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
         The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
         An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
         The base directory to store saved files in.
  --cipher [CIPHER]
         The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
         The Common Name is a string used to identify the certificate.
  --country [COUNTRY]
         A two-letter country designation.
  --email [EMAIL]
         An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
         The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
         The certificate organization location or city.
  --months [MONTHS]
         The certificate validity duration.
  --org [ORG]
         The certificate organization name.
  --outCertFile [OUTCERTFILE]
         The output certificate filename.
  --outKeyFile [OUTKEYFILE]
         The output key filename.
  --passphrase [PASSPHRASE]
         If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
         A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
         If true, the server/client key will sign the new certificate rather than a CA key. Defaults to False. Ignored when generating new CA key pairs.
  --serial [SERIAL]
         The serial number is an integer used to identify the certificate. When a certificate is revoked, this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
         If true, both the key and certificate will be saved in the certificate file. Defaults to False. Ignored when generating new CA key pairs.
  --state [STATE]
         The certificate organization state or province.
  --unit [UNIT]
         The certificate organization Unit or department.

More information

  • The Subject Alternative Name list in a client certificate is sometimes used as an additional way to identify the client. This can provide flexibility for servers that may not use the Common Name to identify clients.

  • The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

  • Client certificates can be created but can only be implemented with the FairCom ISAM interface.