X509 certificates for client authentication

Qickly generate a CA and client certificate for secure communication
iot crypto tech certificates iron

Why client certificates

If you are reading this post, you probably already know what is all that about, and I will not offend you with simplistic explanations. Just for the sake of clarity, I am referring to client certificates as those files that contain a private key for the user to access a certain service.

While it has become increasingly popular to distribute content over the internet with HTTPS, in order to make sure the communication is shielded from eventual eavesdroppers, not many authenticate securely the user identity as well.

There are good reason for that, of course. Without going into too much details, we can say that autenticate the user, that is, pre-sharing a different key with each and every user might be costly and unpractical in many ways. Therefore, if it is not essential, we usually don’t do it.

When to use them

There are times when you want to put online a service for users that require:

Where to use them

Provided we know where we want to be using client certificates, it might not be obvious that the place where we use them is typically a browser, if we are talking about html documents or other media; but it could also be some other piece of custom sofware, in that case we will hopefully have additional instructions about what to do with them.

How to use them

Usually the end user should have a private key (protected by a super-secret password that he is giving to none) with which, after passing some pains, he gets the actually a signed certificate. Together with that, he should receive a signed copy of the CA that signed his own certificate. This should tell the browser (or our awesome piece of code) that the client certificate is actually right.

If you haven’t spent enough time and resources, the CA itself could have been authenticated by an established real world CA company that keeps the certificates in a safe dug underground with no internet connection.

While this last step is actually pretty costly and worth in some cases, it is not always needed. For example, if your application has a small number of clients, or at least it is not on global scale. Let’s say the client is your mobile that authenticates towards your own webmail server: you can just make sure the server certificate that you have on the client is the good one, and you’re good to go. Other case could be some physical device you have access to and onto which you can save the good server certificate. That is known under the name of Certificate Pinning. Of course, in this last case the tricky part is in making sure you’ll be able to update the server certificate on the client when you need it, and besides making sure none else is able to do that.

If you can’t recognize yourself in those two example cases, then you definitely need a public CA to sign the CA, you will have to pay for it, and hopefully it makes sense for your billioner distributed application.

How to generate them

I got too past the point I put myself into describing the use case for this brand new crypto tool, that I think it is now time to explain how to use it.


Iron is a commandline utility to create a CA and certificates for services that need to share data over a secure channel with client authentication.

get the software

git clone https://github.com/paolo-lulli/iron 

install with make

cd iron
sudo make install

Install from Deb package

create Deb package

Iron comes with a script that helps generating a .deb package. It can be used as follows:

cd iron

install Deb package

If you choose to generate the debian package (and you run a debian/ubuntu distribution) installing is as easy as:

sudo dpkg -i ../target/iron-1.0.0.deb

Use the software

Iron comes with a minimal inline help:

$ iron
Usage: iron <command> [<args>]

Some useful iron commands are:
   ca           manage CA
   certificate  create certificates 
   client       manage CSR for certificates creation
   commands     List all iron commands
   debug        manage CA
   service      manage service/server certificate creation

See 'iron help <command>' for information on a specific command.

For more detail about the usage see: Iron product page