Introduction

Secure Socket Layer (SSL) certificates play a crucial role in ensuring the security and integrity of data transmitted over the internet. In addition to encrypting communication between a server and a client, SSL certificates can also support client authentication. This article will walk you through the process of creating an SSL certificate with client authentication support using the Microsoft Certificate Manager and a trusted certificate authority (CA). 


Prerequisites

Before we begin, make sure you have the following prerequisites in place: 

  • Microsoft Certificate Manager: This tool is available on Windows operating systems and provides a user-friendly interface for managing certificates. 
  • Trusted Certificate Authority: Choose a reputable certificate authority (CA) that supports client authentication or use an internal certificate authnority that is trusted by your organisation. 


Step 1 - Generate a Certificate Signing Request (CSR)

  1. Launch the Microsoft Certificate Manager. You can access it by typing "certmgr.msc" in the Run dialog box or the command prompt. 
  2. In the Certificate Manager, navigate to the "Personal" folder and right-click on "Certificates." Select "All Tasks" and then "Advanced Operations," followed by "Create Custom Request." 
  3. Choose "Proceed without enrolment policy" and click "Next." 
  4. Select a suitable server template. The template needs to support creation of certificates with both the "Client Authentication" and "Server Authentication" intended purposes. Click "Next." 
  5. Choose the desired cryptographic service provider and key size. For client authentication, a key size of 2048 bits is recommended. Click "Next." 
  6. In the "Certificate Information" section, click on Details and then click on Properties
    1. In the "Subject" section enter the necessary details, including the Common Name (CN) of the certificate, which should match the domain name of the server associated with the SSL certificate. Please ensure that the Subject section complies with the restrictions listed below.
    2. In the "Extensions" section open the "Extended Key Usage" section, select "Server Authentication" and "Client Authentication" and click "Add."
  7. Click OK to close the certificate Properties and click "Next."
  8. Enter a file name and click "Finish" to generate the CSR file. 


Step 2 - Submit the CSR to the Certificate Authority (CA)

  1. Save the CSR file generated in Step 1 to your local machine. 
  2. Go to the website of your chosen certificate authority (CA) and locate their certificate issuing portal. 
  3. Follow the instructions provided by the CA to submit the CSR file. Provide any additional information required during the process. 
  4. Pay the necessary fees, if applicable, and complete the validation process specified by the CA.
  5. Once the CA verifies the information and approves the request, they will issue the SSL certificate with client authentication support. 


Step 3 - Install the SSL Certificate

  1. After receiving the SSL certificate from the CA, save it to your local machine. 
  2. Launch the Microsoft Certificate Manager and navigate to the "Personal" folder. 
  3. Right-click on "Certificates" and select "All Tasks" > "Import."
  4. Follow the Import Wizard to locate and import the SSL certificate file. 
  5. Once the import process is complete, the SSL certificate will be available in the "Personal" folder of the Certificate Manager. 


Step 4 - Export the Certificate in a PCKS#12 keystore

  1. Launch the Microsoft Certificate Manager and navigate to the "Personal" folder. 
  2. Click on "Certificates", select the desired certificate, rigth click and choose "All Tasks" > "Export".
  3. Select "Yes, export the private key" and click Next.
  4. Choose the Personal Information Exchange - PKCS#12 format, select "Include all certificates in the certification path if possible" and "Export all extended properties" and click Next
  5. Enter a file Name and click Next
  6. Review all settings and click Finish.
  7. The PCKS#12 keystore can be used during installation of a Connector.

Step 5 - Export the Certificate in a PCKS#7 keystore

  1. Launch the Microsoft Certificate Manager and navigate to the "Personal" folder. 
  2. Click on "Certificates", select the desired certificate, rigth click and choose "All Tasks" > "Export".
  3. Choose the Cryptographic Message Syncax Standard - PKCS#7 format, select "Include all certificates in the certification path if possible" and click Next
  4. Enter a file Name and click Next
  5. Review all settings and click Finish.
  6. The PCKS#7 keystore can be sent to EnergySys for validation of the certificate and to establish trust of the certificate chain.


Restrictions on Certificate Subject

  • Subject should be less than 100 characters in length, including white spaces
  • Subject should not contain the wildcard character *
  • Subject should contain only the following characters:
    • alphanumeric characters: a-z, A-Z and 0-9
    • special characters are restricted to: _ :;.,\/"'?!(){}[]@<>=-+#$&|~^%