[Last updated August 29, 2019] In this post, we show you how to create a client certificate. Client certificates are the key elements of client certificate authentication, a method you can use to augment your HTTPS, FTPS, or AS2 server's username-password login method.
Watch the video
Would you prefer to watch a video version of this tutorial instead? You can play the video below. Otherwise, just skip it if you wish to continue reading.
This is actually just one of three closely related posts that can help you take advantage of this less-known security feature of SSL/TLS. The other two posts are:
Note: If you want to follow this tutorial, we encourage you to download the free, fully-functional evaluation edition of JSCAPE MFT Server.
Let's begin the tutorial.
1. Launch the Key Manager and generate the client certificate
Go to Keys > Client Keys tab and then click the Generate button.
If you’ve tried setting up SFTP public key authentication on MFT Server before, this is exactly the same place where you create a SFTP key.
2. Enter client certificate details
Fill up the fields in the Generate Client Key dialog. You'll need to enter the following information (note that we will be using the terms "certificate" and "key" interchangeably here):
Key alias - The key alias is just the name that will be used in referring to this particular key within the JSCAPE MFT Server Manager environment, e.g. as2server1clientkey
Key algorithm - Choose between RSA or DSA. Click that link for an enlightening discussion on these two key algorithms.
Key length - Choose between 1024, 2048, and 4096. Read the post "Choosing Key Lengths for Encrypted File Transfers" if you need more information on the subject.
Validity - Specifies how many days you would like this key to remain valid.
Common name (CN) - This is the name associated with this client-side certificate. If the client using this certificate will be manually operated by a person, then the usual practice is to enter that person’s email address. If it’s a machine, then the hostname of that machine. Let’s just use the key alias for this example
Organization unit (OU) - Indicates the specific unit in your organization that will be using this key, e.g. Accounting or IT
Organization (O) - The name of the user's organization
Locality (L) - The name of the user's city.
State/Province (ST) - The name of the user's state or province.
Country (C) - The user's 2-character country code, e.g. "US"
3. Export the client certificate
After you click OK, you'll be prompted to export the client certificate's private key file. Enter a filename for that file. Enter a password as well to protect it. Lastly, specify a format. We recommend PKCS12. Click OK to proceed.
Save the file when prompted.
You can then save the file when prompted. Make sure you save that file in a safe place.
4. Check out your newly created client certificate
Your newly created client certificate should then be added to your Client Keys under the Certificates node. Double-check it to see if everything's good.
Now that you have your newly created client certificate, you can then load the pfx private key file you recently exported onto a user's client application. However, in most cases, when using JSCAPE MFT Server, you would simply load that file to your trading partner module. You could then export this certificate’s corresponding public key and load that key to a trading partner’s remote service.
The trading partner module of your JSCAPE MFT Server instance usually acts as a client to a trading partner’s remote service, so with the private key in your trading partner module and its corresponding public key in your trading partner’s remote service, you can then commence with client certificate authentication. That is, that remote service can authenticate your host by checking if the two keys match.
If you’re still having a hard time grasping the concept. Don’t worry. In our next post, we'll show you how to put your newly created client certificate to good use by enabling client certificate authentication on JSCAPE MFT Server's AS2 service. So stay tuned for that!
In the meantime, thank you for joining us.
JSCAPE MFT Server is a platform-independent, multi-protocol (FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV, WebDAVs, SCP, AS2, OFTP, TFTP, AFTP, etc.) managed file transfer server that comes pre-loaded with several security and automation features. Download a free, fully-functional evaluation edition now.
We'd love to engage with you on social media. Do connect with us ...