Scenario 3.2: Issue Client Certificate

Category: Issue Certificates
Complexity: * (Medium-High)
Prerequisites: CSR available, Intermediate CA
Estimated Time: 10-15 minutes </WRAP> —- ===== Description ===== This scenario describes issuing a client certificate for mTLS authentication. Client certificates enable strong authentication of users or services to servers. Use cases: * mTLS API access * Service-to-service authentication * VPN access * Smart Card / PIV login —- ===== Code Example (C#) ===== <code csharp> using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using var ctx = PqCryptoContext.Initialize(); Load Intermediate CA var caCert = ctx.LoadCertificate(„intermediate-ca.crt.pem“); var caKey = ctx.LoadPrivateKey(„intermediate-ca.key.pem“, „CaPassword!“); Load CSR var csr = ctx.LoadCertificateRequest(File.ReadAllText(„client.csr.pem“)); csr.VerifySignature(); Issue client certificate var clientCert = ctx.IssueCertificate( csr, issuerCert: caCert, issuerKey: caKey, serialNumber: ctx.GenerateSerialNumber(), validDays: 365, extensions: new ExtBuilder() .BasicConstraints(ca: false, critical: true) Key Usage: Only signature (no key encipherment for clients) .KeyUsage(KeyUsageFlags.DigitalSignature, critical: true) Extended Key Usage: Client Auth .ExtendedKeyUsage(ExtKeyUsage.ClientAuth) .SubjectKeyIdentifier(csr.PublicKey) .AuthorityKeyIdentifier(caCert) .CrlDistributionPoint(„http://crl.example.com/intermediate.crl“) .Build() ); clientCert.ToPemFile(„client.crt.pem“); Console.WriteLine($„Client certificate issued: {clientCert.Subject}“); </code> —- ===== Service Account Certificate ===== For microservices and automated systems: <code csharp> Service certificate with service account name var serviceCert = ctx.IssueCertificate( csr, issuerCert: caCert, issuerKey: caKey, validDays: 90, Short validity for automatic rotation extensions: new ExtBuilder() .BasicConstraints(ca: false) .KeyUsage(KeyUsageFlags.DigitalSignature) .ExtendedKeyUsage(ExtKeyUsage.ClientAuth) Service-specific SANs .SubjectAlternativeName(new[] { „dns:payment-service.internal“, „uri:spiffe:cluster.local/ns/default/sa/payment-service“ }) .Build() ); </code> —- ===== Difference to Server Certificate ===== ^ Aspect ^ Server Certificate ^ Client Certificate ^ | Extended Key Usage | serverAuth | clientAuth | | Key Usage | digitalSignature + keyEncipherment | digitalSignature | | Subject | DNS name | User/service name | | SAN Types | DNS, IP | Email, UPN, DNS | | Validity | 1-2 years | 90 days - 1 year | —- ===== PFX for Windows/Browser ===== <code csharp> Create PFX for import into browser/Windows var pfxData = ctx.ExportToPfx( certificate: clientCert, privateKey: clientKey, chain: new[] { caCert }, password: „UserPassword123!“, friendlyName: „John Doe - Client Cert“ ); File.WriteAllBytes(„client.pfx“, pfxData); </code> —- ===== Related Scenarios ===== ^ Relationship ^ Scenario ^ Description ^ | Prerequisite | 2.2 Client CSR | Create CSR | | Next Step | 9.1 mTLS Client Auth | Use certificate | | Related** | 3.1 Server Certificate | Counterpart |

« <- 3.1 Server Certificate | ^ Certificates Overview | 3.3 Code-Signing -> »

scenario, certificate, client, mtls, authentication

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional