mkdir -p cert/rsa
openssl genrsa -out cert/rsa/caroot.key 2048
openssl req -new -x509 -days 3650 -config cert/rsa/synrc.cnf \ -key cert/rsa/caroot.key \ -out cert/rsa/caroot.pem \ -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=CA"
openssl ca -config cert/rsa/synrc.cnf \ -gencrl -out cert/rsa/rsaroot.crl
openssl genrsa -out cert/rsa/server.key 2048
openssl req -new -days 365 \ -key cert/rsa/server.key \ -out cert/rsa/server.csr \ -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=SERVER"
openssl ca -config cert/rsa/synrc.cnf \ -extensions server_cert \ -days 730 \ -in cert/rsa/server.csr \ -out cert/rsa/server.pem \ -cert cert/rsa/caroot.pem \ -keyfile cert/rsa/caroot.key
openssl genrsa -out cert/rsa/client.key 2048
openssl req -new -days 365 \ -key cert/rsa/client.key \ -out cert/rsa/client.csr \ -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=Maxim"
openssl ca -config cert/rsa/synrc.cnf \ -extensions usr_cert \ -days 365 \ -in cert/rsa/client.csr \ -out cert/rsa/client.pem \ -cert cert/rsa/caroot.pem \ -keyfile cert/rsa/caroot.key
openssl pkcs12 -export \ -inkey cert/rsa/client.key \ -in cert/rsa/client.pem \ -out cert/rsa/client.p12
[ ca ] default_ca = CA_default [ CA_default ] dir = /home/ubuntu/depot/synrc certs = $dir/cert/rsa crl_dir = $dir/cert/rsa new_certs_dir = $dir/cert/rsa database = $dir/cert/rsa/index.txt serial = $dir/cert/rsa/serial RANDFILE = $dir/cert/rsa/.rand private_key = $dir/cert/rsa/caroot.key certificate = $dir/cert/rsa/caroot.pem crlnumber = $dir/cert/rsa/crlnumber crl = $dir/cert/rsa/rsaroot.crl crl_extensions = crl_ext default_crl_days = 3650 default_md = sha384 name_opt = ca_default cert_opt = ca_default default_days = 3650 preserve = no policy = policy_strict [ policy_strict ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied [ req ] default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha384 x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name commonName_default = CA countryName_default = UA stateOrProvinceName_default = Kyiv localityName_default = Kyiv 0.organizationName_default = SYNRC organizationalUnitName_default = HQ [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = @crl_info authorityInfoAccess = @ocsp_info [ usr_cert ] basicConstraints = CA:FALSE nsCertType = client, email nsComment = "Synrc Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection subjectAltName = @alt_names [ server_cert ] basicConstraints = CA:FALSE nsCertType = server nsComment = "Synrc Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = @crl_info authorityInfoAccess = @ocsp_info subjectAltName = @alt_names [alt_names] DNS.0 = localhost [ crl_ext ] authorityKeyIdentifier=keyid:always [ ocsp ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning [crl_info] URI.0 = http://crl.n2o.dev:8081/rsaroot.crl [ocsp_info] caIssuers;URI.0 = http://crl.n2o.dev:8081/rsaroot.crt OCSP;URI.0 = http://ocsp.n2o.dev:8081/
openssl s_server -accept 8771 \ -key cert/rsa/server.key \ -cert cert/rsa/server.pem \ -CAfile cert/rsa/caroot.pem -Verify 1
openssl s_client -connect localhost:8771 \ -key cert/rsa/client.key \ -cert cert/rsa/client.pem \ -CAfile cert/rsa/caroot.pem -showcerts