Host Checking with Machine Certificate verification (using OpenSSL for certification)

Host Checking with Machine Certificate verification (using OpenSSL for certification).

Configure Host Checker to verify Machine Certificate.

Note: The commands in the procedure below are executed on a Windows machine using the

openssl.cnf file

1	openssl.cnf file

. If you are running OpenSSL on a Unix machine, remove –

config C:\OpenSSL-Win32\bin\openssl.cnf

1	config C:\OpenSSL-Win32\bin\openssl.cnf

from the command.

Create a Certificate Authority using OpenSSL (3 steps)

1. Create CA Private Key.

openssl genrsa -out ca.key 2048

1	openssl genrsa -out ca.key 2048

2. Create CA Certificate from the Private Key.

openssl req -config C:\OpenSSL-Win32\bin\openssl.cnf -new -x509 -days 365 -key ca.key -out ca.crt

1	openssl req -config C:\OpenSSL-Win32\bin\openssl.cnf -new -x509 -days 365 -key ca.key -out ca.crt

Enter all the details for the Distinguished Name of the certificate, such as country, organization name, common name, and so on, when prompted.

3. Combine ca.crt and ca.key into One File.

openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12

1	openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12

Enter an export password for the p12 file when prompted (the password can be left blank).

Create a Client Certificate using OpenSSL (4 steps)

1. Create a Client Private Key.

openssl genrsa -out client.key 2048

1	openssl genrsa -out client.key 2048

2. Create a Client Certificate Signing Request using Client Key.

openssl req -new -key client.key -out client.csr

1	openssl req -new -key client.key -out client.csr

Enter all the details for the Distinguished Name of the certificate, such as country, organization name, common name, and so on, when prompted.

3. Sign the Request with CA to Create the Client Certificate.

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

1	openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

4. Combine Client Certificate and Key File into One File.

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

1	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

Note:

Configure Machine Authentication (5 steps)

1. Upload the CA (ca.crt) Certificate under Trusted Client CAs.

2. Create a New Host Checker Policy and add a New Rule Setting of Type Custom:Machine Certificate.

3. Select the Machine Certificate you want to Verify as Part of Host Checking.

4. Create Separate Custom: Machine Certificate Rules for Different Client Computers with Different Certificates Installed on Them.

Configuring Client Certificate on Client Machine

Install the client certificate on the corresponding client machine under Trusted Root Certification Authorities > Personal certificate stores.

1. Go to Start > Run > type mmc and click OK.

2. On the console go to File > Add/Remove Snap-ins. Select Certificates from the list.

3.Click Add and press Ok.

4.Select Computer account and click Next.

5.On the next window, select Local Computer then click Finish.

6. Import the client certificate (*.p12) under Certificates (Local Computer) > Personal > Certificates as shown above.