ECC

ECC X.509

 $ mkdir -p cert/ecc
 $       : > cert/ecc/index.txt
 $ echo 00 > cert/ecc/serial
 $ echo 10 > cert/ecc/crlnumber

CA KEY

 $ openssl ecparam -genkey -name secp384r1 |
   openssl ec -aes256 -passout pass:0 \
              -out cert/ecc/caroot.key

 $ openssl req -config cert/ecc/synrc.cnf -days 3650 -batch \
               -new -x509 -passin pass:0 -passout pass:0 \
               -key cert/ecc/caroot.key -out cert/ecc/caroot.pem \
               -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=CA"

CA CRL

 $ openssl ca -config cert/ecc/synrc.cnf \
              -passin pass:0 -gencrl -out cert/ecc/eccroot.crl

SERVER KEY

$ export SERVER=server

 $ openssl req -config cert/ecc/synrc.cnf \
               -passin pass:0 -passout pass:0 \
               -new -newkey ec:<(openssl ecparam -name secp384r1) \
               -keyout cert/ecc/$SERVER.key.enc \
               -out cert/ecc/$SERVER.csr \
               -subj "/C=UA/ST=Kyiv/O=SYNRC/CN="$SERVER

 $ openssl ec -in cert/ecc/$SERVER.key.enc \
              -out cert/ecc/$SERVER.key -passin pass:0 -passout pass:0

SERVER CERT

 $ openssl ca -config cert/ecc/synrc.cnf -days 730 -batch \
              -in cert/ecc/$SERVER.csr -out cert/ecc/$SERVER.pem \
              -keyfile cert/ecc/caroot.key -cert cert/ecc/caroot.pem \
              -passin pass:0 -extensions server_cert

CLIENT KEY

$ export CLIENT=client

 $ openssl req -config cert/ecc/synrc.cnf -batch -passout pass:0 \
               -new -newkey ec:<(openssl ecparam -name secp384r1) \
               -keyout cert/ecc/$CLIENT.key \
               -out cert/ecc/$CLIENT.csr \
               -subj "/C=UA/ST=Kyiv/O=SYNRC/CN="$CLIENT

$ openssl ec -in cert/ecc/$CLIENT.key.enc -out cert/ecc/$CLIENT.key -passin pass:0

CLIENT CERT

 $ openssl ca -config cert/ecc/synrc.cnf \
              -extensions usr_cert -batch -days 365 -passin pass:0 \
              -in cert/ecc/$CLIENT.csr -out cert/ecc/$CLIENT.pem \
              -cert cert/ecc/caroot.pem -keyfile cert/ecc/caroot.key

CLIENT PFX

 $ openssl pkcs12 -export -passin pass:0 -passout pass:0 \
                  -inkey cert/ecc/$CLIENT.key -in cert/ecc/$CLIENT.pem \
                  -out cert/ecc/$CLIENT.p12

ECC CNF

 [ ca ]
 default_ca = CA_default

 [ CA_default ]
 dir               = /home/maxim/depot/synrc/ca/cert/ecc
 certs             = $dir
 crl_dir           = $dir
 new_certs_dir     = $dir
 database          = $dir/index.txt
 serial            = $dir/serial
 RANDFILE          = $dir/.rand
 private_key       = $dir/caroot.key
 certificate       = $dir/caroot.pem
 crlnumber         = $dir/crlnumber
 crl               = $dir/eccroot.crl
 crl_extensions    = crl_ext
 default_crl_days  = 3650
 default_md        = sha384
 name_opt          = ca_default
 cert_opt          = ca_default
 default_days      = 3650
 preserve          = no
 policy            = policy_strict

 [ policy_strict ]
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied

 [ req ]
 default_bits        = 2048
 distinguished_name  = req_distinguished_name
 string_mask         = utf8only
 default_md          = sha384
 x509_extensions     = v3_ca

 [ req_distinguished_name ]
 countryName                     = UA
 countryName_default             = UA
 0.organizationName              = SYNRC
 0.organizationName_default      = SYNRC
 commonName                      = CA
 commonName_default              = CA
 stateOrProvinceName             = Kyiv
 stateOrProvinceName_default     = Kyiv
 localityName                    = Kyiv
 localityName_default            = Kyiv
 organizationalUnitName          = HQ
 organizationalUnitName_default  = HQ

 [ v3_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

 [ v3_intermediate_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 crlDistributionPoints = @crl_info
 authorityInfoAccess = @ocsp_info

 [ usr_cert ]
 basicConstraints = CA:FALSE
 nsCertType = client, email
 nsComment = "SYNRC CLIENT"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
 subjectAltName = @alt_names

 [ server_cert ]
 basicConstraints = CA:FALSE
 nsCertType = server
 nsComment = "SYNRC SERVER"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_info
 authorityInfoAccess = @ocsp_info
 subjectAltName = @alt_names

 [alt_names]
 DNS.0 = localhost

 [ crl_ext ]
 authorityKeyIdentifier=keyid:always

 [ ocsp ]
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, digitalSignature
 extendedKeyUsage = critical, OCSPSigning

 [crl_info]
 URI.0 = http://crl.n2o.dev:8081/eccroot.crl

 [ocsp_info]
 caIssuers;URI.0 = http://crl.n2o.dev:8081/eccroot.crt
 OCSP;URI.0 = http://ocsp.n2o.dev:8081/

LibreSSL

 openssl s_server -accept 8772 \
      -key cert/ecc/server.key \
      -cert cert/ecc/server.pem \
      -CAfile cert/ecc/caroot.pem -Verify 1

 openssl s_client -connect localhost:8772 \
      -key cert/ecc/client.key \
      -cert cert/ecc/client.pem \
      -CAfile cert/ecc/caroot.pem -showcerts