How to make a self-signed client SSL certificate?

06
2014-04
  • Smit Johnth

    Well, how to make a client SSL certificate, which doesn't need an (external) certification authority?

    Is there a way and is any profit to use elliptic curves for that?

    What should i do to use it on a server? How to make a server accept a certificate? How does a server know which user has logged in?

    • Answers
  • Thomas Pornin

    A self-signed client certificate for SSL is just a self-signed certificate with a key suitable for signatures. Just about any self-signed certificate will do, as long as you do not explicitly restrict it to encryption (i.e. don't insist on including a Key Usage extension, and you'll be fine).

    Elliptic curves are massively spiffy. But not everybody supports them yet. Advantages of elliptic curves are that they yield shorter public keys and smaller and faster signatures than RSA. Not that it matters much anyway (as a human being, you cannot make the difference between 50 and 1000 µs). More importantly, using elliptic curves confers early adopter status. It is the cryptographic equivalent of buying a red sports car.


    • Related Question

    How to save a remote server SSL certificate locally as a file
  • Kimvais

    I need to download an SSL certificate of a remote server (not HTTPS, but the SSL handshake should be the same as Google Chrome / IE / wget and curl all give certificate check fail errors) and add the certificate as trusted in my laptops Windows' certificate store since I am not able to get my IT guys to give me the CA cert.

    this is for office commnunicator so I cannot really use the actual client to get the cert.

    How do I do this, I have Windows 7 and a pile of Linuxes handy so any tool / scripting language is fine.


    • Related Answers
  • 8088

    If you have access to OpenSSL, try 

    openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

    replacing {HOSTNAME} and {PORT} with whatever your values are.

  • Robert Siemer

    To be honest, I have never tried this before (never needed to) however, I have just tried in Firefox and it seems to work for saving:

    1. Click on the SSL certificate icon at the top / Padlock at the bottom.
    2. Click View Certificate
    3. Click on the Details Tab
    4. Chose which certificate you want from the hierarchy [not circled in picture]
    5. Click Export

    alt text

  • elec3647

    A quick method to get the certificate pulled and downloaded would be to run the following command which pipes the output from the -showcerts to the x509 ssl command which just strips everything extraneous off. For example:

    openssl s_client -showcerts -connect server.edu:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
  • Daniel Trebbien

    This is gbroiles' answer, but I wanted to point out that the cURL project has a page with a few more details on using openssl to save the remote server's SSL certificate:

    • openssl s_client -connect {HOSTNAME}:{PORT} | tee logfile
    • Type QUIT and press the Enter / Return key.
    • The certificate will be listed between "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.

    • If you want to see the data in the certificate, you can use:

      openssl x509 -inform PEM -in certfile -text -out certdata

      where certfile is the certificate extracted from logfile. Look in certdata.