Generation of user certificates

After setup of the certification authority (CA), user certificates of the VPN gateway and those of the VPN client can be created. To generate a user certificate, three steps are necessary:

In the first step, a new certificate key and certificate request are generated with the commandCA.sh -newreq:

newkey.pem = RSA Key Pair (public and private key)

newreq.pem = certificate request (contains the public key along with the required data for certificate request)

In the second step, this certificate request is signed by the certification authority with the command CA.sh -sign. This generates the newcert.pem file. Now, a separate folder should be created in which the certification key, certification request and the signed certificate are stored:

In the third step, the certificate of the certification authority, the just created user certificate including the certification key is exported in a file in PKCS#12 format. This file is protected with a password and allows transmission of the certificates to the VPN gateway, or a VPN client. For this, the following command is used:

openssl pkcs12 -export -in vpn-gateway/newcert.pem -inkey vpn-gateway/newkey.pem -certfile demoCA/cacert.pem -name vpn-gateway -out vpn-gateway/vpn-gateway1.p12

The described steps for generation of a user certificate are illustrated through the example of the certificate created for the VPN gateway.

These steps must be similarly performed for each of the bintec secure IPsec clients™.

Creation of a new key along with a certificate request:

Signing of the certificate request with the certification authority:

Export of certificates (CA certificate and customer certificate), incl. keys (public and private customer key) in PKCS#12 format using OpenSSL: