Creating client certificates
Creating client certificates is just like creating the server certificate we saw earlier in the chapter with the added step of converting the signed certificate into a format that email clients can import. Most popular mail clients expect certificates in the PKCS12 format, which packages together the signed certificate and private key and protects them with a password. If you use a third-party CA, the company will most likely pro- vide you or your users with the correct format needed for your particular email cli- ent. If you are signing certificates yourself, you have to create a PKCS12-formatted file to give to your users. The file is created with the user’s signed certificate, the pri- vate key corresponding to that certificate, and your own CA public certificate.
You have to create a separate certificate/key pair for each user you plan to authenti- cate with certificates. You should decide on a policy for choosing a distinguished name. Generally, you would use the individual’s email address or the client machine’s hostname when generating the certificates. The steps below walk through creating a certificate for a user with the email address [email protected]:
1.Using the openssl command, generate a private and public key for your user. Remember that your public key also has to be signed by a CA (possibly your- self):
$ openssl req -new -nodes -keyout kdentkey.pem \
-out kdentreq.pem -days 365
This command creates both a private key and a CSR, as specified by the -new option. The -nodes option tells openssl not to encrypt the key (see “Generating Server Certificates”). -keyout and -out indicate the names of the files where the private key and the CSR should be created. Finally, -days 365 says to make the certificate valid for one year.
2.If you are using a third-party CA, follow their directions for getting your certifi- cate request signed. You will be sending them the kdentreq.pem file you created above. If you are acting as your own CA, you can sign the file yourself with the following command:
# openssl ca -out kdent_signed_cert.pem -infiles kdentreq.pem
3.Once you have the signed certificate, convert it to a format that can be used by your users’ email clients:
# openssl pkcs12 -in kdent_signed_cert.pem -inkey \
kdentkey.pem -certfile /etc/postfix/cacert.pem -out kdent.p12 \
-export -name "[email protected]"
You will be prompted to provide a password for the file the command creates. You will have to provide your user with the password you select. The -certfile option points to your own CA certificate file. In this example, you’re using the file as created by the CA.pl script. Once finished, you can provide your user with the kdent.p12 file and the password you used when creating it. Your user should now be able to import the file into a mail client that supports the PKCS12 format.