Machine Certificates

Special type of client certificate used to validate a machine hardware identity. These are tied to a specific machine and only have clientAuth extensions added.

Create Machine Private Key and Certificate

Create the private key and certificate signing request.
openssl genrsa -out /root/ca/inter/private/{MACHINE}.key.pem 4096
chmod 0400 /root/ca/inter/private/{MACHINE}.key.pem
openssl req -config /root/ca/inter/inter.ca -key /root/ca/inter/private/{MACHINE}.key.pem -new -sha512 -out /root/ca/inter/csr/{MACHINE}.csr.pem

Warning

Requiring a password -aes256 for the private key will require that password to be entered everytime the certifcate is used (e.g. authenticating to a service). Given the short lived nature of these certificates and that it is providing a machine identity, generally no password is used and CRL/OSCP are used to invalidate any exposed certifiates to prevent access.

Sign certificate signing request.
openssl ca -config /root/ca/inter/inter.ca -extensions machine_cert -days 375 -notext -md sha512 -in /root/ca/inter/csr/{MACHINE}.csr.pem -out /root/ca/inter/certs/{MACHINE}.cert.pem
chmod 444 /root/ca/inter/certs/{MACHINE}.cert.pem
openssl x509 -noout -text -in /root/ca/inter/certs/{MACHINE}.cert.pem
openssl verify -CAfile /root/ca/inter/certs/ca-chain.cert.pem /root/ca/inter/certs/{MACHINE}.cert.pem
  • Machine certificates should be much shorter lifetime that CA’s. They should be revoked and re-created whenever a machine is new or re-installed.

  • The verify command should return OK.

  • both ca-chain.cert.pem and {MACHINE}.cert.pem need to be distributed if Root CA is not in the trusted CA store.