====== Scenario 3.2: Issue Client Certificate ======
**Category:** [[.:start|Issue Certificates]] \\
**Complexity:** *** (Medium-High) \\
**Prerequisites:** CSR available, Intermediate CA \\
**Estimated Time:** 10-15 minutes
----
===== Description =====
This scenario describes issuing a **client certificate** for mTLS authentication. Client certificates enable strong authentication of users or services to servers.
**Use cases:**
* mTLS API access
* Service-to-service authentication
* VPN access
* Smart Card / PIV login
----
===== Code Example (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using var ctx = PqCryptoContext.Initialize();
// Load Intermediate CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
// Load CSR
var csr = ctx.LoadCertificateRequest(File.ReadAllText("client.csr.pem"));
csr.VerifySignature();
// Issue client certificate
var clientCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
serialNumber: ctx.GenerateSerialNumber(),
validDays: 365,
extensions: new ExtBuilder()
.BasicConstraints(ca: false, critical: true)
// Key Usage: Only signature (no key encipherment for clients)
.KeyUsage(KeyUsageFlags.DigitalSignature, critical: true)
// Extended Key Usage: Client Auth
.ExtendedKeyUsage(ExtKeyUsage.ClientAuth)
.SubjectKeyIdentifier(csr.PublicKey)
.AuthorityKeyIdentifier(caCert)
.CrlDistributionPoint("http://crl.example.com/intermediate.crl")
.Build()
);
clientCert.ToPemFile("client.crt.pem");
Console.WriteLine($"Client certificate issued: {clientCert.Subject}");
----
===== Service Account Certificate =====
For microservices and automated systems:
// Service certificate with service account name
var serviceCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
validDays: 90, // Short validity for automatic rotation
extensions: new ExtBuilder()
.BasicConstraints(ca: false)
.KeyUsage(KeyUsageFlags.DigitalSignature)
.ExtendedKeyUsage(ExtKeyUsage.ClientAuth)
// Service-specific SANs
.SubjectAlternativeName(new[] {
"dns:payment-service.internal",
"uri:spiffe://cluster.local/ns/default/sa/payment-service"
})
.Build()
);
----
===== Difference to Server Certificate =====
^ Aspect ^ Server Certificate ^ Client Certificate ^
| Extended Key Usage | serverAuth | clientAuth |
| Key Usage | digitalSignature + keyEncipherment | digitalSignature |
| Subject | DNS name | User/service name |
| SAN Types | DNS, IP | Email, UPN, DNS |
| Validity | 1-2 years | 90 days - 1 year |
----
===== PFX for Windows/Browser =====
// Create PFX for import into browser/Windows
var pfxData = ctx.ExportToPfx(
certificate: clientCert,
privateKey: clientKey,
chain: new[] { caCert },
password: "UserPassword123!",
friendlyName: "John Doe - Client Cert"
);
File.WriteAllBytes("client.pfx", pfxData);
----
===== Related Scenarios =====
^ Relationship ^ Scenario ^ Description ^
| **Prerequisite** | [[en:int:pqcrypt:szenarien:csr:csr_client|2.2 Client CSR]] | Create CSR |
| **Next Step** | [[en:int:pqcrypt:szenarien:authentifizierung:mtls_client_auth|9.1 mTLS Client Auth]] | Use certificate |
| **Related** | [[.:server_cert|3.1 Server Certificate]] | Counterpart |
----
<< [[.:server_cert|<- 3.1 Server Certificate]] | [[.:start|^ Certificates Overview]] | [[.:codesign_cert|3.3 Code-Signing ->]] >>
{{tag>scenario certificate client mtls authentication}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//