How to generate a CA certificate and sign the client certificate - Server Load Balancer

For mutual TLS (mTLS) authentication, CLB requires a CA certificate to verify client certificates. This topic describes how to generate a self-signed CA certificate using OpenSSL and use it to sign client certificates.

Before you begin

A Linux machine with OpenSSL installed. This guide uses Alibaba Cloud Linux 3.2104 with OpenSSL 1.1.1k.
Basic familiarity with the command line.

Generate a CA certificate

Set up the directory structure

Create the working directories for the CA:

sudo mkdir -p /home/ca/{newcerts,private,conf,server,users}
cd /home/ca

Directory	Purpose
`newcerts`	Stores certificates signed by this CA
`private`	Stores the CA private key and certificate
`conf`	Stores OpenSSL configuration files
`server`	Stores server certificates
`users`	Stores client certificates

Create the OpenSSL configuration file

Create /home/ca/conf/openssl.conf:

sudo vim /home/ca/conf/openssl.conf

Add the following content:

[ ca ]
default_ca = foo

[ foo ]
dir = /home/ca
database = /home/ca/index.txt
new_certs_dir = /home/ca/newcerts
certificate = /home/ca/private/ca.crt
serial = /home/ca/serial
private_key = /home/ca/private/ca.key
RANDFILE = /home/ca/private/.rand
default_days = 365
default_crl_days = 30
default_md = sha256
unique_subject = no
policy = policy_any

[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional

Generate the CA private key and certificate

Generate the CA private key:

sudo openssl genrsa -out /home/ca/private/ca.key 2048

Expected output:

Generating RSA private key, 2048 bit long modulus
.....+++++
.+++++
e is 65537 (0x010001)

Create a certificate signing request (CSR):

sudo openssl req -new -key /home/ca/private/ca.key -out /home/ca/private/ca.csr

Enter the required information when prompted. For Common Name, enter a descriptive name for your CA (e.g., My Company Root CA).

Example interaction:

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) [ ]:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) [ ]:IT
Common Name (eg, your name or your server's hostname) [ ]:My Company Root CA
Email Address [ ]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:

Generate the self-signed CA certificate:

sudo openssl x509 -req -days 365 -in /home/ca/private/ca.csr -signkey /home/ca/private/ca.key -out /home/ca/private/ca.crt

Expected output:

Signature ok
subject=C = CN, ST = Zhejiang, L = Hangzhou, O = My Company, OU = IT, CN = My Company Root CA
Getting Private key

Important

The ca.crt file is the CA certificate to upload to CLB.

Initialize the CA database

# Set the initial serial number (any 4 characters)
echo FACE | sudo tee /home/ca/serial

# Create the certificate index file
sudo touch /home/ca/index.txt

# Generate the certificate revocation list (CRL)
sudo openssl ca -gencrl -out /home/ca/private/ca.crl -crldays 7 -config /home/ca/conf/openssl.conf

Expected output for the CRL command:

Using configuration from /home/ca/conf/openssl.conf

Sign a client certificate

After creating the CA, use it to sign client certificates for mTLS authentication.

Generate a client private key:
```
sudo openssl genrsa -des3 -out /home/ca/users/client.key 2048
```
Enter a passphrase when prompted. This passphrase protects the private key—you'll need it in subsequent steps.
Create a CSR for the client certificate:
```
sudo openssl req -new -key /home/ca/users/client.key -out /home/ca/users/client.csr
```
Enter the passphrase from step 1, then fill in the certificate details.
Important
The values for Country, State, Organization, and Organizational Unit must exactly match the CA certificate. Otherwise, signing will fail with a "field is different" error. Locality, Common Name, and Email can be different.
The challenge password prompt is for an optional CSR password, not the private key passphrase.

Sign the client certificate with the CA:

sudo openssl ca -in /home/ca/users/client.csr -cert /home/ca/private/ca.crt -keyfile /home/ca/private/ca.key -out /home/ca/users/client.crt -config /home/ca/conf/openssl.conf

Enter y twice when prompted to confirm signing.

Example output:

Using configuration from /home/ca/conf/openssl.conf
Check that the request matches the signature
Signature ok
Certificate Details:
        ...
Certificate is to be certified until Jan 28 12:00:00 2027 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Export the client certificate as PKCS#12 (for browser import):
```
sudo openssl pkcs12 -export -clcerts -in /home/ca/users/client.crt -inkey /home/ca/users/client.key -out /home/ca/users/client.p12
```
Enter the client key passphrase, then set an export password. You'll need this export password when installing the certificate in a browser or application.

Verify the generated files:

ls /home/ca/users/
# Expected output: client.crt  client.csr  client.key  client.p12

Generated files summary

File	Description	Upload to
`/home/ca/private/ca.crt`	CA certificate	CLB (for mTLS)
`/home/ca/users/client.p12`	Client certificate (PKCS#12)	Client browser/application

Server Load Balancer:Generate a CA certificate