Create the Client Private Key and Certificate

Create a client private key if you are using mutual authentication. Create the client’s private key file and certificate request, and sign the client certificate using the CA private key file. For more information on using the following commands, see the OpenSSL documentation.

Important: If you plan to use mutual authentication, you can create the client certificate in a way that allows self-authentication. To do so, set the Common Name (CN) field to the value of the database user name you want to use with the target database.
  1. Use the openssl genrsa command to create the client’s private key file.

    $ openssl genrsa -out new_client.key 1024
  2. Use the openssl req command to create the client certificate request.

    $ openssl req -config openssl_req_client.conf -new -key new_client.key -out new_client_reqout.txt

    Enter the following sample values in response to openssl command line prompts. Alternatively, you can enter the same information in .conf files. For example, openssl_req_client.conf in the preceding example.

    $ Country Name (2 letter code) [GB]:US
    $ State or Province Name (full name) [Berkshire]:Massachusetts
    $ Locality Name (e.g., city) [Newbury]:Cambridge
    $ Organization Name (e.g., company) [My Company Ltd]:CorpName
    $ Organizational Unit Name (e.g., section) []:TechSupport
    $ Common Name (e.g., your name or server hostname) []:myhost
    $ Email Address []:myhost@CorpName.com
    
  3. Use the openssl command x509 to sign the client’s certificate using the CA private key file and public certificate.

    $ openssl x509 -req -in new_client_reqout.txt -days 3650 -sha1 -CAcreateserial -CA new_serverca.crt -CAkey new_servercakey.pem
    -out new_client.crt

You have now created the client private key file, new_client.key. You signed the client certificate using the CA private key (new_servercakey.pem) and CA public certificate (new_serverca.crt). The result outputs to a new server certificate, new_client.crt.

Set Client Key and Certificate Permissions

Set permissions for client certificates and keys:

$ chmod 700 new_client.crt new_client.key

Because you add the contents of those files to parameters on the server, you do not need to set permissions for server certificates and keys.