Client-Side SSL certificate authentication

Quick recap

DSA Déprécié, ne plus utiliser

RSA > 4096 bits (Compatible partout, meilleur rapport qualité/compatibilité)

ECDSA 521 bits, Décrié, mais mieux supporté que Ed25519

Ed25519 Récent, moins supporté, mais le plus sécurisé

Self-signed certificate

Create the root Certificate Authority

mkdir /var/ssl
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create the Client Key and CSR

Organization & Common Name = Person name

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

# Self-sign the CSR
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Convert Client Key to PKCS

So that it may be installed in most browsers.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Convert Client Key to (combined) PEM

Combines client.crt and client.key into a single PEM file for programs using openssl.

openssl pkcs12 -in client.p12 -out client.pem -clcerts

Test client certificate

openssl verify -verbose -CAfile ca.crt client.crt

error 18 at 0 depth lookup: self signed certificate same Organization Name for CA and client certificate.

Source: Client Side SSL by mtigas