Using SSL Certificates¶

Here's how to get an SSL client certificate that this site can use to authenticate you. This walkthrough assumes you're using the OpenSSL program (available from http://www.openssl.org).

First, use the OpenSSL program to generate a key and certificate signing request:

openssl req -newkey rsa:2048 -out yourname.csr

You'll be prompted for several items of information that are used to identify who and where you are -- country code, state or province, etc. The most important one is the "Common Name" field, for which you should enter your desired freesa.org user name. Also important is the email address field, because that's where the signed certificate will be sent.

That command will eventually produce two files: privkey.pem and yourname.csr. Keep the privkey.pem file! You will need it once you have a signed certificate. Email the yourname.csr file to brett@freesa.org.

Eventually, Brett will send you a certificate file called something like yourname.crt. You need to combine this with privkey.pem and the CA certificate attached to the front page to produce a PKCS#12 file that you can import into your browser -- then, when you access this site using HTTPS, your browser will send the client certificate as part of the SSL handshake, and the server will use the common name from that certificate as your authenticated userid.

Once you have all three files in one place, you can turn them into a PKCS#12 file with:

cat privkey.pem yourname.crt ca-cert.pem | openssl pkcs12 -export -nodes -out clientcert.p12 -name "SSL client key" 

The way to import this into your web browser depends on the browser and version you're using. In Firefox 3.0, you can open up Firefox Preferences and click the Advanced icon, Encryption tab. Click the View Certificates button to open the Certificate Manager. Now:

• In the Authorities tab, click Import and navigate to wherever you've saved the ca-cert.pem file. Import it. You can decide for yourself what (if anything) you trust the certificate to verify.
• In the Your Certificates tab, click Import and navigate to wherever you've saved clientcert.p12. Import it. If you specified an export password in the openssl pkcs12 command, you'll need to enter it again during the import.