Secure way to pass client certificate to the client2

Question

Our product is comprised of two servers. We would like to authenticate one server to the main server by means of client certificate. I assume that we should ask the customers (who purchase the product) to use their own CA to generate a certificate for the main server.

1) Would that be an intermediate CA certificate? Then, I assume that the main server should generate a client certificate and send it to the subordinate server.

2) What would be a secure way to pass the client certificate from the main server to the sub server?

3) Is this all supported by OpenSSL?

Thanks.

{Already asked this question earlier but my new user was unavailable.}

Answer 1

You do not want to generate a client certificate for your customer. This would mean that you have the private key for their communications. This is bad practice.

1. You kind of have the right idea. You want to generate a Root CA Certificate for your main server. The customer would then generate an Intermediate CA Certificate for their server. They would send this Intermediate CA cert to you via a Certificate Signing Request (CSR), and you would sign the certificate with your Root CA cert. The previous link is for informational purposes only, I'm not advertising their product. This signed certificate would then be sent back to the customer for use.

2. A CSR is a format that contains all the information needed for you to sign the certificate provided. It does not contain the private key of the certificate. This answer and comments explain that a form on a webpage for submission is reasonable because there is no private data being passed. This will also give you a chance to gather other needed information to verify the customer in order to process the CSR. Once you've processed the CSR you can send the certificate back through the same means, by email, or whatever method you choose. There is no private information added after you've signed their certificate.

3. Yes, OpenSSL provides all the functionality you need to set this up. There are several examples of PKI setups on OpenSSL PKI Tutorial. Here is another great walk through for PKI creation (PDF). Now these examples go beyond the scope of what you're doing, but it will give you the full understanding of what needs to happen for certificate authorities to work.

Here is a nice explanation of how the things all fit together at a higher level.