mTLS in Apache HTTPD using a Self-Signed CA and Client Certificates
Creating a Self-Signed CA and Client Certificate Using Keystore Explorer (PKCS#12) for mTLS in Apache HTTPD
Last updated
Creating a Self-Signed CA and Client Certificate Using Keystore Explorer (PKCS#12) for mTLS in Apache HTTPD
Last updated
This guide walks you through the process of generating a self-signed Certificate Authority (CA) and a client certificate using Keystore Explorer, with certificates stored in PKCS#12 (.p12) format. These certificates will be used to enable mutual TLS (mTLS) authentication in Apache HTTPD for the specific path /access/authn/cert.
Before you begin, ensure you have:
Keystore Explorer installed ()
Apache HTTPD installed and configured
Open Keystore Explorer and create a new keystore (PKCS#12 format).
Click Tools → Generate Key Pair.
Select RSA (2048-bit or higher) and click OK.
Enter the Distinguished Name (DN) details (e.g., CN=MyCA, O=MyOrg, C=SE).
Set the validity period (e.g., 3650 days for 10 years). Press Apply to update the years.
Click Add Extensions
Click Use Standard Template
Select CA and click OK
Click OK.
Click OK.
Keep or change the Alias. Click OK
Set a password for the key pair and click OK.
Click OK.
Save the keystore (myCA.p12).
Set a password for the keystore and click OK.
Open myCA.p12 in Keystore Explorer.
Right-click the CA key pair → Export → Export Certificate Chain.
Choose Head Only, X.509 and PEM format and save it as ca.cer.
Open myCA.p12 in Keystore Explorer.
Right-click the CA key pair → Sign
Select Sign new key pair, select (2048-bit or higher) and click OK.
Set the validity period (e.g., 3650 days for 10 years). Press Apply to update the years.
Enter the Distinguished Name (DN) details (e.g., CN=Client, O=MyOrg, C=SE).
Click Add Extensions
Click Use Standard Template
Select SSL Client and click OK
Click OK
Click OK.
Keep or change the Alias. Click OK
Set a password for the key pair and click OK.
Right-click the Client key pair → Export → Export Key Pair.
Select PKCS#12, set a password for the key pair and the path for the Export File.
Click Export.
Save the keystore if you would like to keep the client certificate in the keystore.
/access/authn/certCopy ca.crt to the Apache configuration directory.
Edit the Apache configuration file (httpd.conf or ssl.conf) and add the following configuration:
Add the ca certificate and disable TLS1.3, add our change the following settings:
Add the Location section:
Restart Apache:
Import the certificate to the OS using the OS tool.
You have successfully created a self-signed CA, a client certificate, and configured Apache HTTPD for mTLS authentication on the specific path /access/authn/cert using Keystore Explorer, with certificates stored in PKCS#12 (.p12) format.