====== Scenario 3.2: Emettere certificato client ======
**Categoria:** [[.:start|Emettere certificati]] \\
**Complessità:** Media \\
**Prerequisiti:** CSR presente, Intermediate-CA \\
**Tempo stimato:** 10-15 minuti
----
===== Descrizione =====
Questo scenario descrive l'emissione di un **certificato client** per autenticazione mTLS. I certificati client consentono l'autenticazione forte di utenti o servizi verso i server.
**Casi d'uso:**
* Accesso API mTLS
* Autenticazione service-to-service
* Accesso VPN
* Login Smart Card / PIV
----
===== Esempio codice (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using var ctx = PqCryptoContext.Initialize();
// Intermediate-CA laden
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
// CSR laden
var csr = ctx.LoadCertificateRequest(File.ReadAllText("client.csr.pem"));
csr.VerifySignature();
// Client-Zertifikat ausstellen
var clientCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
serialNumber: ctx.GenerateSerialNumber(),
validDays: 365,
extensions: new ExtBuilder()
.BasicConstraints(ca: false, critical: true)
// Key Usage: Nur Signatur (kein Key Encipherment für Clients)
.KeyUsage(KeyUsageFlags.DigitalSignature, critical: true)
// Extended Key Usage: Client Auth
.ExtendedKeyUsage(ExtKeyUsage.ClientAuth)
.SubjectKeyIdentifier(csr.PublicKey)
.AuthorityKeyIdentifier(caCert)
.CrlDistributionPoint("http://crl.example.com/intermediate.crl")
.Build()
);
clientCert.ToPemFile("client.crt.pem");
Console.WriteLine($"Client-Zertifikat ausgestellt: {clientCert.Subject}");
----
===== Certificato Service-Account =====
Per microservizi e sistemi automatizzati:
// Service-Zertifikat mit Service-Account-Namen
var serviceCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
validDays: 90, // Kurze Gültigkeit für automatische Rotation
extensions: new ExtBuilder()
.BasicConstraints(ca: false)
.KeyUsage(KeyUsageFlags.DigitalSignature)
.ExtendedKeyUsage(ExtKeyUsage.ClientAuth)
// Service-spezifische SANs
.SubjectAlternativeName(new[] {
"dns:payment-service.internal",
"uri:spiffe://cluster.local/ns/default/sa/payment-service"
})
.Build()
);
----
===== Differenza dal certificato server =====
^ Aspetto ^ Certificato server ^ Certificato client ^
| Extended Key Usage | serverAuth | clientAuth |
| Key Usage | digitalSignature + keyEncipherment | digitalSignature |
| Subject | Nome DNS | Nome utente/servizio |
| Tipi SAN | DNS, IP | Email, UPN, DNS |
| Validità | 1-2 anni | 90 giorni - 1 anno |
----
===== PFX per Windows/Browser =====
// PFX erstellen für Import in Browser/Windows
var pfxData = ctx.ExportToPfx(
certificate: clientCert,
privateKey: clientKey,
chain: new[] { caCert },
password: "UserPassword123!",
friendlyName: "Max Mustermann - Client Cert"
);
File.WriteAllBytes("client.pfx", pfxData);
----
===== Scenari correlati =====
^ Relazione ^ Scenario ^ Descrizione ^
| **Prerequisito** | [[it:int:pqcrypt:szenarien:csr:csr_client|2.2 CSR Client]] | Creare CSR |
| **Passo successivo** | [[it:int:pqcrypt:szenarien:authentifizierung:mtls_client_auth|9.1 mTLS Client-Auth]] | Utilizzare certificato |
| **Correlato** | [[.:server_cert|3.1 Certificato server]] | Controparte |
----
<< [[.:server_cert|← 3.1 Certificato server]] | [[.:start|↑ Panoramica certificati]] | [[.:codesign_cert|3.3 Code-Signing →]] >>
{{tag>scenario certificato client mtls autenticazione}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//