Certificates used for the mTLS authentication can be generated using certstrap or any other means for generating TLS certificates (openssl, step cli).
We're following the advice of Mozilla of generating one long term root CA certificate with intermediate CA certificates signing the actual client certificates.
If your server and client supports Ed25519 certificates, add --curve=Ed25519
to init
and request-cert
commands. (Requires compilation CGO_ENABLED=0 go install github.com/square/certstrap@2a55ac3
)
Keep these root CA files somewhere safe.
mkdir -p certs
# Create root CA certificate
certstrap --depot-path certs init --common-name "my-rootCA" --expires "10 years" --organization "my Org"
This intermediate CA will be used to sign client certificates. It is signed by the rootCA.
# Request and sign intermediate CA certificate
certstrap --depot-path certs request-cert --common-name "my-intermediateCA" --organization "my Org"
certstrap --depot-path certs sign "my-intermediateCA" --CA "my-rootCA" --expires "2 years" --intermediate
Finally, certificates that can authenticate, can be signed by the intermediate CA. You can either pre-generate or only sign the .crt
files.
# Request and sign final client certificate without passphrase
certstrap --depot-path certs request-cert --common-name "clientA" --organization "my Org" --passphrase ""
certstrap --depot-path certs sign clientA --CA "my-intermediateCA" --expires "1 years"
The above method of creating client certificates should be only done for testing purposes. User who should be authenticated should execute the request-cert
part, send the resulting .csr
file to the CA holder who executes the sign
part. Finally the CA holder sends the .crt
file back to the user.