Automate Guide
AppService status

mTLS authentication

Suggest Edits

Currently, most of the algorithms are supported. Those include, but are not limited to:

  • Generating key pairs: RSA, ECDSA
  • Signing certificate: SHA-256 with RSA, SHA-384 with ECDSA
  • Encrypting private key: 3DES, AES (128 or 256 bit)

Creating client keys and sharing public keys with external API manager

Step 1: Generate an RSA Private Key

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out client.key -aes256
  • openssl genpkey: Command to generate a private key.
  • -algorithm RSA: Specifies the RSA algorithm.
  • -pkeyopt rsa_keygen_bits:4096: Sets the RSA key size to 4096 bits (a significant increase in strength over 2048).
  • -out client-rsa-4096.key: Output file for your private key.
  • -aes256: Encrypts the generated private key file with AES-256. You will be prompted for a strong passphrase. Remember this passphrase!

You can use different parameters depending on the requirements of the external API

Step 2: Generate a Certificate Signing Request (CSR) with SHA-256

openssl req -new -key client.key -out client.csr -sha256
  • openssl req: Command for CSR generation.
  • -new: New CSR.
  • -key client.key: Your private key. You'll be prompted for its passphrase.
  • -out client.csr: Output CSR file.
  • -sha256: Specifies that the CSR itself should be signed using SHA-256 (this is for the integrity of the CSR, the certificate signature is in the next step).

You'll be prompted for CSR information (Country, State, Common Name, etc.). As mentioned before, for client certificates, the Common Name (CN) is often a username or identifier. Check with the server admin for requirements.

Step 3: Generate a Self-Signed Certificate with a Signature Algorithm

We'll use SHA-384 here for the certificate signature for very strong security. SHA-256 is also a very good and widely compatible choice.

# Using SHA-384 for the certificate signature
openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt -sha384
# OR, for SHA-256 (still very strong and possibly more compatible with older systems)
# openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt -sha256
  • openssl x509: Command for X.509 certificate management.
  • -req: Input is a CSR.
  • -days 365: Validity period.
  • -in client.csr: Input CSR file.
  • -signkey client.key: Private key for signing. You'll be prompted for its passphrase.
  • -out client.crt: Output certificate file.
  • -sha384 (or -sha256): Specifies the digest algorithm to use for signing the certificate. SHA-384 and SHA-256 are strong choices.

Step 4: Create the PKCS#12 (.p12) File with Encryption

openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha256
  • openssl pkcs12 -export: Creates a PKCS#12 file.
  • -out client.p12: Output .p12 file.
  • -inkey client.key: Your private key. You'll be prompted for its passphrase.
  • -in client.crt: Your certificate.
  • -keypbe AES-256-CBC: Specifies AES-256 (CBC mode) for encrypting the private key within the PKCS#12 file.
  • -certpbe AES-256-CBC: Specifies AES-256 (CBC mode) for encrypting the certificate(s) within the PKCS#12 file.
  • -macalg sha256: Uses SHA-256 for the Message Authentication Code (MAC), which ensures the integrity of the PKCS#12 bundle.

You will be prompted to enter an "Export Password". This is the passphrase that protects the client.p12 file. Choose a strong, unique passphrase.

Important Considerations:

  • Passphrases: Use strong, unique passphrases for your private key file and for the PKCS#12 export password.
  • Compatibility: While these algorithms (RSA 4096, ECC P-384, AES-256, SHA256/384) are widely supported by modern systems, if you are interacting with very old legacy systems, you might encounter compatibility issues. SHA-256 for the certificate signature is generally a safe bet for wide compatibility while still being very secure.
  • File Management:
    • client.key : Keep this extremely secret and secure.
    • client.crt: Share this with the server admin.
    • client.p12: This is what Automate will use. Keep it secure. You'll need its export password to import it.
    • client.csr: Can often be deleted after the certificate is created unless needed for other purposes.

Updated 8 days ago