Documentation

Issuing a Client Certificate Using a CA Certificate

  1. Log in to the server where the CA certificate is generated.
  2. Go to the cert_v3 directory, create the client directory at the same level of the ca directory, and go to the directory.
    mkdir client
cd client
  3. Create the OpenSSL configuration file client_cert.conf of the CA certificate. The file content is as follows:
    [ req ] 
distinguished_name     = req_distinguished_name 
prompt                 = no  
[ req_distinguished_name ]  
O                      = mxManufacture  
CN                     = xxx.huawei.com
[ v3_ca ]
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[ alt_names]
DNS.1 = xxx.huawei.com

    The CN field can be changed to the domain name or IP address of the server as required.

    xxx.huawei.com is for reference only. Change xxx based on the site requirements, for example, mxmanufacture.huawei.com.

  4. Create the private key file client.key of the client certificate.
    openssl genrsa -aes256 -out client.key 4096

    Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters.

  5. Create the CSR request file client.csr of the client certificate.
    openssl req -out client.csr -key client.key -new -config ./client_cert.conf
  6. Use the CA certificate to issue the client certificate client.crt.
    openssl x509 -req -in client.csr -out client.crt -sha256 -CAcreateserial -days 1000 -extfile ./client_cert.conf -extensions v3_ca -CA ../ca/ca.crt -CAkey ../ca/ca.key

    • If a self-signed certificate is made based on the preceding procedure, you are advised to set the permission on the directory that contains the certificate, private key, and sensitive information to 700, and set the permission on the certificate, private key, and configuration file that contains sensitive information to 400. For details, see the keys directory generated by the Huawei KMC component.
    • After the self-signed certificate is created, delete the intermediate files generated during the creation, such as ca_cert.conf, server_cert.conf, and client_cert.conf to prevent information leakage.