How To Create A Client Certificate

Posted by John Carl Villanueva on Thu, Aug 29, 2019 @ 07:06 AM

[Last updated August 29, 2019] In this post, we show you how to create a client certificate. Client certificates are the key elements of client certificate authentication, a method you can use to augment your HTTPS, FTPS, or AS2 server's username-password login method. 

Watch the video 

Would you prefer to watch a video version of this tutorial instead? You can play the video below. Otherwise, just skip it if you wish to continue reading.

This is actually just one of three closely related posts that can help you take advantage of this less-known security feature of SSL/TLS. The other two posts are:

What Is Client Certificate Authentication?


How To Import A Client Certificate To Firefox

Note:  If you want to follow this tutorial, we encourage you to download the free, fully-functional evaluation edition of JSCAPE MFT Server

Let's begin the tutorial.

1. Launch the Key Manager and generate the client certificate

Go to Keys  > Client Keys tab and then click the Generate button.


keys client keys generate


If you’ve tried setting up SFTP public key authentication on MFT Server before, this is exactly the same place where you create a SFTP key.

2. Enter client certificate details

Fill up the fields in the Generate Client Key dialog. You'll need to enter the following information (note that we will be using the terms "certificate" and "key" interchangeably here):

Key alias - The key alias is just the name that will be used in referring to this particular key within the JSCAPE MFT Server Manager environment, e.g. as2server1clientkey

Key algorithm - Choose between RSA or DSA. Click that link for an enlightening discussion on these two key algorithms.

Key length - Choose between 1024, 2048, and 4096. Read the post "Choosing Key Lengths for Encrypted File Transfers" if you need more information on the subject.

Validity - Specifies how many days you would like this key to remain valid.

Common name (CN) - This is the name associated with this client-side certificate. If the client using this certificate will be manually operated by a person, then the usual practice is to enter that person’s email address. If it’s a machine, then the hostname of that machine. Let’s just use the key alias for this example

Organization unit (OU) - Indicates the specific unit in your organization that will be using this key, e.g. Accounting or IT

Organization (O) - The name of the user's organization

Locality (L) - The name of the user's city.

State/Province (ST) - The name of the user's state or province.

Country (C) - The user's 2-character country code, e.g. "US"


generate client key dialog


3. Export the client certificate

After you click OK, you'll be prompted to export the client certificate's private key file. Enter a filename for that file. Enter a password as well to protect it. Lastly, specify a format. We recommend PKCS12. Click OK to proceed.


export private key dialog


Save the file when prompted.


save exported private key file


You can then save the file when prompted. Make sure you save that file in a safe place.

4. Check out your newly created client certificate

 Your newly created client certificate should then be added to your Client Keys under the Certificates node. Double-check it to see if everything's good.


newly created client certificate


Now that you have your newly created client certificate, you can then load the pfx private key file you recently exported onto a user's client application. However, in most cases, when using JSCAPE MFT Server, you would simply load that file to your trading partner module. You could then export this certificate’s corresponding public key and load that key to a trading partner’s remote service.

The trading partner module of your JSCAPE MFT Server instance usually acts as a client to a trading partner’s remote service, so with the private key in your trading partner module and its corresponding public key in your trading partner’s remote service, you can then commence with client certificate authentication. That is, that remote service can authenticate your host by checking if the two keys match. 

If you’re still having a hard time grasping the concept. Don’t worry. In our next post, we'll show you how to put your newly created client certificate to good use by enabling client certificate authentication on JSCAPE MFT Server's AS2 service. So stay tuned for that!

In the meantime, thank you for joining us.


Get Started

JSCAPE MFT Server is a platform-independent, multi-protocol (FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV, WebDAVs, SCP, AS2, OFTP, TFTP, AFTP, etc.) managed file transfer server that comes pre-loaded with several security and automation features. Download a free, fully-functional evaluation edition now.


Download Now

We'd love to engage with you on social media. Do connect with us ...


Topics: JSCAPE MFT Server, Managed File Transfer, Security, Secure File Transfer