RSA

RSA X.509

mkdir -p cert/rsa

CA KEY

openssl genrsa -out cert/rsa/caroot.key 2048

 openssl req -new -x509 -days 3650 -config cert/rsa/synrc.cnf \
         -key cert/rsa/caroot.key \
         -out cert/rsa/caroot.pem \
         -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=CA"

CA CRL

 openssl ca -config cert/rsa/synrc.cnf \
         -gencrl -out cert/rsa/rsaroot.crl

SERVER KEY

openssl genrsa -out cert/rsa/server.key 2048

 openssl req -new -days 365 \
         -key cert/rsa/server.key \
         -out cert/rsa/server.csr \
         -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=SERVER"

SERVER CERT

 openssl ca -config cert/rsa/synrc.cnf \
         -extensions server_cert \
         -days 730 \
         -in cert/rsa/server.csr \
         -out cert/rsa/server.pem \
         -cert cert/rsa/caroot.pem \
         -keyfile cert/rsa/caroot.key

CLIENT KEY

openssl genrsa -out cert/rsa/client.key 2048

 openssl req -new -days 365 \
         -key cert/rsa/client.key \
         -out cert/rsa/client.csr \
         -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=Maxim"

CLIENT CERT

 openssl ca -config cert/rsa/synrc.cnf \
         -extensions usr_cert \
         -days 365 \
         -in cert/rsa/client.csr \
         -out cert/rsa/client.pem \
         -cert cert/rsa/caroot.pem \
         -keyfile cert/rsa/caroot.key

CLIENT PFX

 openssl pkcs12 -export \
         -inkey cert/rsa/client.key \
         -in cert/rsa/client.pem \
         -out cert/rsa/client.p12

RSA CNF

 [ ca ]
 default_ca = CA_default

 [ CA_default ]
 dir               = /home/ubuntu/depot/synrc
 certs             = $dir/cert/rsa
 crl_dir           = $dir/cert/rsa
 new_certs_dir     = $dir/cert/rsa
 database          = $dir/cert/rsa/index.txt
 serial            = $dir/cert/rsa/serial
 RANDFILE          = $dir/cert/rsa/.rand
 private_key       = $dir/cert/rsa/caroot.key
 certificate       = $dir/cert/rsa/caroot.pem
 crlnumber         = $dir/cert/rsa/crlnumber
 crl               = $dir/cert/rsa/rsaroot.crl
 crl_extensions    = crl_ext
 default_crl_days  = 3650
 default_md        = sha384
 name_opt          = ca_default
 cert_opt          = ca_default
 default_days      = 3650
 preserve          = no
 policy            = policy_strict

 [ policy_strict ]
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied

 [ req ]
 default_bits        = 2048
 distinguished_name  = req_distinguished_name
 string_mask         = utf8only
 default_md          = sha384
 x509_extensions     = v3_ca

 [ req_distinguished_name ]
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 commonName_default              = CA
 countryName_default             = UA
 stateOrProvinceName_default     = Kyiv
 localityName_default            = Kyiv
 0.organizationName_default      = SYNRC
 organizationalUnitName_default  = HQ

 [ v3_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

 [ v3_intermediate_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 crlDistributionPoints = @crl_info
 authorityInfoAccess = @ocsp_info

 [ usr_cert ]
 basicConstraints = CA:FALSE
 nsCertType = client, email
 nsComment = "Synrc Client Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
 subjectAltName = @alt_names

 [ server_cert ]
 basicConstraints = CA:FALSE
 nsCertType = server
 nsComment = "Synrc Server Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_info
 authorityInfoAccess = @ocsp_info
 subjectAltName = @alt_names

 [alt_names]
 DNS.0 = localhost

 [ crl_ext ]
 authorityKeyIdentifier=keyid:always

 [ ocsp ]
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, digitalSignature
 extendedKeyUsage = critical, OCSPSigning

 [crl_info]
 URI.0 = http://crl.n2o.dev:8081/rsaroot.crl

 [ocsp_info]
 caIssuers;URI.0 = http://crl.n2o.dev:8081/rsaroot.crt
 OCSP;URI.0 = http://ocsp.n2o.dev:8081/

LibreSSL

 openssl s_server -accept 8771 \
      -key cert/rsa/server.key \
      -cert cert/rsa/server.pem \
      -CAfile cert/rsa/caroot.pem -Verify 1

 openssl s_client -connect localhost:8771 \
      -key cert/rsa/client.key \
      -cert cert/rsa/client.pem \
      -CAfile cert/rsa/caroot.pem -showcerts