Building mutual TLS (mTLS) certificates using a local Certificate Authority (CA) involves several steps. Here’s a general guide to help you through the process:

Create a Private Key for the CA

openssl genrsa -out ca.key 2048

Create a Self-Signed Certificate for the CA

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt

You will be prompted to enter information for the certificate.

Create a Private Key for the Server

openssl genrsa -out server.key 2048

Create a Certificate Signing Request (CSR) for the Server

openssl req -new -key server.key -out server.csr

Sign the Server CSR with the CA

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt -days 500 -sha256

Create a Private Key for the Client

openssl genrsa -out client.key 2048

Create a Certificate Signing Request (CSR) for the Client

openssl req -new -key client.key -out client.csr

Sign the Client CSR with the CA

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out client.crt -days 500 -sha256

You can verify the certificates to ensure they are correctly signed

Verify the Server Certificate

openssl verify -CAfile ca.crt server.crt

Verify the Client Certificate

openssl verify -CAfile ca.crt client.crt

Depending on the server software you are using (e.g., Nginx, Apache, etc.), you will need to configure it to require client certificates and to trust your CA.

Start your server with the configured certificates. Use a client (like curl or a custom application) to connect to the server, providing the client certificate and key.

Example using curl

curl -v --key client.key --cert client.crt \
--cacert ca.crt https://your-server-url

This process sets up a basic mTLS configuration using a local CA. Make sure to adjust the configurations based on your specific requirements and security policies.