$ mkdir -p cert/ecc $ : > cert/ecc/index.txt $ echo 00 > cert/ecc/serial $ echo 10 > cert/ecc/crlnumber
$ openssl ecparam -genkey -name secp384r1 | openssl ec -aes256 -passout pass:0 \ -out cert/ecc/caroot.key
$ openssl req -config cert/ecc/synrc.cnf -days 3650 -batch \ -new -x509 -passin pass:0 -passout pass:0 \ -key cert/ecc/caroot.key -out cert/ecc/caroot.pem \ -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=CA"
$ openssl ca -config cert/ecc/synrc.cnf \ -passin pass:0 -gencrl -out cert/ecc/eccroot.crl
$ export SERVER=server
$ openssl req -config cert/ecc/synrc.cnf \ -passin pass:0 -passout pass:0 \ -new -newkey ec:<(openssl ecparam -name secp384r1) \ -keyout cert/ecc/$SERVER.key.enc \ -out cert/ecc/$SERVER.csr \ -subj "/C=UA/ST=Kyiv/O=SYNRC/CN="$SERVER
$ openssl ec -in cert/ecc/$SERVER.key.enc \ -out cert/ecc/$SERVER.key -passin pass:0 -passout pass:0
$ openssl ca -config cert/ecc/synrc.cnf -days 730 -batch \ -in cert/ecc/$SERVER.csr -out cert/ecc/$SERVER.pem \ -keyfile cert/ecc/caroot.key -cert cert/ecc/caroot.pem \ -passin pass:0 -extensions server_cert
$ export CLIENT=client
$ openssl req -config cert/ecc/synrc.cnf -batch -passout pass:0 \ -new -newkey ec:<(openssl ecparam -name secp384r1) \ -keyout cert/ecc/$CLIENT.key \ -out cert/ecc/$CLIENT.csr \ -subj "/C=UA/ST=Kyiv/O=SYNRC/CN="$CLIENT
$ openssl ec -in cert/ecc/$CLIENT.key.enc -out cert/ecc/$CLIENT.key -passin pass:0
$ openssl ca -config cert/ecc/synrc.cnf \ -extensions usr_cert -batch -days 365 -passin pass:0 \ -in cert/ecc/$CLIENT.csr -out cert/ecc/$CLIENT.pem \ -cert cert/ecc/caroot.pem -keyfile cert/ecc/caroot.key
$ openssl pkcs12 -export -passin pass:0 -passout pass:0 \ -inkey cert/ecc/$CLIENT.key -in cert/ecc/$CLIENT.pem \ -out cert/ecc/$CLIENT.p12
[ ca ] default_ca = CA_default [ CA_default ] dir = /home/maxim/depot/synrc/ca/cert/ecc certs = $dir crl_dir = $dir new_certs_dir = $dir database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/.rand private_key = $dir/caroot.key certificate = $dir/caroot.pem crlnumber = $dir/crlnumber crl = $dir/eccroot.crl crl_extensions = crl_ext default_crl_days = 3650 default_md = sha384 name_opt = ca_default cert_opt = ca_default default_days = 3650 preserve = no policy = policy_strict [ policy_strict ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied [ req ] default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha384 x509_extensions = v3_ca [ req_distinguished_name ] countryName = UA countryName_default = UA 0.organizationName = SYNRC 0.organizationName_default = SYNRC commonName = CA commonName_default = CA stateOrProvinceName = Kyiv stateOrProvinceName_default = Kyiv localityName = Kyiv localityName_default = Kyiv organizationalUnitName = HQ organizationalUnitName_default = HQ [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = @crl_info authorityInfoAccess = @ocsp_info [ usr_cert ] basicConstraints = CA:FALSE nsCertType = client, email nsComment = "SYNRC CLIENT" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection subjectAltName = @alt_names [ server_cert ] basicConstraints = CA:FALSE nsCertType = server nsComment = "SYNRC SERVER" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = @crl_info authorityInfoAccess = @ocsp_info subjectAltName = @alt_names [alt_names] DNS.0 = localhost [ crl_ext ] authorityKeyIdentifier=keyid:always [ ocsp ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning [crl_info] URI.0 = http://crl.n2o.dev:8081/eccroot.crl [ocsp_info] caIssuers;URI.0 = http://crl.n2o.dev:8081/eccroot.crt OCSP;URI.0 = http://ocsp.n2o.dev:8081/
openssl s_server -accept 8772 \ -key cert/ecc/server.key \ -cert cert/ecc/server.pem \ -CAfile cert/ecc/caroot.pem -Verify 1
openssl s_client -connect localhost:8772 \ -key cert/ecc/client.key \ -cert cert/ecc/client.pem \ -CAfile cert/ecc/caroot.pem -showcerts