Reset Search
 

 

Article

KB16992 - Host Checking with Machine Certificate verification (using OpenSSL for certification)

« Go Back

Information

 
Last Modified Date8/4/2015 2:00 PM
Synopsis

Host Checking with Machine Certificate verification (using OpenSSL for certification).

Problem or Goal

Configure Host Checker to verify Machine Certificate.

Cause
Solution

Note: The commands in the procedure below are executed on a Windows machine using the openssl.cnf file. If you are running OpenSSL on a Unix machine, remove -config C:\OpenSSL-Win32\bin\openssl.cnf from the command.


Create a Certificate Authority using OpenSSL (3 steps)

1. Create CA Private Key.

openssl genrsa -out ca.key 2048


2. Create CA Certificate from the Private Key.

openssl req -config C:\OpenSSL-Win32\bin\openssl.cnf -new -x509 -days 365 -key ca.key -out ca.crt

Enter all the details for the Distinguished Name of the certificate, such as country, organization name, common name, and so on, when prompted.

 


3. Combine ca.crt and ca.key into One File.

openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12

 

Enter an export password for the p12 file when prompted (the password can be left blank).



Create a Client Certificate using OpenSSL (4 steps)

1. Create a Client Private Key.

openssl genrsa -out client.key 2048


2. Create a Client Certificate Signing Request using Client Key.

openssl req -new -key client.key -out client.csr

Enter all the details for the Distinguished Name of the certificate, such as country, organization name, common name, and so on, when prompted.


3. Sign the Request with CA to Create the Client Certificate.

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

 


4. Combine Client Certificate and Key File into One File.

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

Note:

  • Sign each certificate with CA.
  • All the certificate and key files are stored under …/openssl/bin, unless a path is specified while creating the particular file or is specified in the openssl.cfg configuration file.



Configure Machine Authentication (5 steps)

1. Upload the CA (ca.crt) Certificate under Trusted Client CAs.

User-added image

 


2. Create a New Host Checker Policy and add a New Rule Setting of Type Custom:Machine Certificate.

User-added image

 


3. Select the Machine Certificate you want to Verify as Part of Host Checking.

 


4. Create Separate Custom: Machine Certificate Rules for Different Client Computers with Different Certificates Installed on Them.

 



Configuring Client Certificate on Client Machine

Install the client certificate on the corresponding client machine under Trusted Root Certification AuthoritiesPersonal certificate stores.

1. Go to Start > Run > type mmc and click OK.

2. On the console go to File > Add/Remove Snap-ins. Select Certificates from the list.

3. Click Add and press Ok.

4. Select Computer account and click Next.

5. On the next window, select Local Computer then click Finish.

 

 

 

 

6. Import the client certificate (*.p12) under Certificates (Local Computer) > Personal > Certificates as shown above.

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255