4

Good evening, the ANAC (National Anti-Corruption Authority), in order to configure cooperation services in mutual authentication, asks to send a client certificate (even self-signed) in X.509 format, with the extension "TLS Web Client Authentication" enabled.

It also asks to provide the public certification chain used to sign the client certificate.

Question: How do I generate the certificate? OpenSSL? And with which public certification chain do I sign it? Thanks in advance for any suggestions.

Jan Sršeň
  • 1,045
  • 3
  • 23
  • 46
mtallon
  • 59
  • 1
  • 7
  • It depends which CA will sign it. You can in general of course generate the certificate with openssl and this extension. In an openssl configuration see the `keyUsage` and `extendedKeyUsage`. It is probably the default in many CA, if you look at a Let's Encrypt certificate you can see under 'Extended Key Usage' that you have 'TLS Web Server Authentication' and 'TLS Web Client Authentication'. So you first need to use the CA all your questions depend on that... – Patrick Mevzek Oct 05 '18 at 23:09
  • So I could use, for example, Let's Encrypt CA to self-sign my client certificate? Could you please provide an example on how to do it by openssl? – mtallon Oct 05 '18 at 23:23
  • 2
    No, if you use a CA, like Let's Encrypt then the certificate is signed by the CA. If you prefer to do a self signed certificate then you do everything alone, you do not depend on any CA (as you are your own CA). Here is an example of a configuration file to adapt: https://pki-tutorial.readthedocs.io/en/latest/advanced/client.conf.html your need is fullfilled with option line `extendedKeyUsage = clientAuth` – Patrick Mevzek Oct 06 '18 at 01:31
  • @PatrickMevzek ok but let me understand: can I free use ANY CA to sign the certifcate? because in this case I don't understand the difference between a self-signed certificate and one signed by a public CA... – mtallon Oct 06 '18 at 16:56
  • The difference is that CAs are known entities that are trusted (for good or bad reasons, but this is the PKIX model), so people trust any certificate they sign. If you do a self signed certificate it means people need to trust **you** to accept the certificate. Based on your provider requirement they do not care because they explicitely whitelist on their end the certificate that you will be sending them. – Patrick Mevzek Oct 06 '18 at 21:49
  • But can I free use a CA like let's encrypt or digicert or geotrust tu sign the client certificate?? – mtallon Oct 07 '18 at 15:03

0 Answers0