Generating multiple personal certificates from one java keystore

Question

I'm trying to generate certificates for each client that will be connecting to a REST call that returns a json, that certificate will be sent via email and will be personal. The goal for this is that when the client sends an HTTPS request with that certificate, we will read its DN and log the access. We are using Mutual SSL.

The way I understand how certificates work, the Issuer is the Authority that signs the certificate, and the Subject is the target machine to secure, so no personal information should be included in the client's certificate.

If that's correct, how would you implement this? I already tried generating certificates with openssl, but both the Issuer and Subject are populated with the same data and I'm unable to change it, and I don't know how to proceed.

Answer 1

Per RFC5280 , Issuer and Subject are required fields of the certificate.

OpenSSL implements Certificate Signing Requests (CSR) - PKCS#10 . Below is an example using it to demonstrate the generation of the CSR. You'll end up with 2 files: a private key ( MyCommonName.key ) and a CSR called MyCommonName.csr .

openssl req -new -newkey rsa:2048 -nodes -out MyCommonName.csr -keyout MyCommonName.key -subj "/C=US/ST=MyState/L=MyCity/O=MyOrganization/OU=MyDepartment/CN=MyCommonName"

The cert.csr can now be sent to the CA. If the CA cannot handle .PEM format, use an additional argument, -outform , followed by the specific format to use.