====== Generování SSL certifikátů ====== ===== CERTIFIKACNI AUTORITA ===== >openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout cakey.pem -x509 -days 3650 -extensions certauth -outform PEM -out cacert.pem ===== SERVER - klic a certifikat ===== **generovani klice serveru** >openssl genrsa -out server.key 2048 **generovani zadosti o certifikat serveru** >openssl req -config ./openssl.cnf -new -key server.key -out server.req **generovani certifikatu serveru** >openssl x509 -req -in server.req -CA cacert.pem -CAkey cakey.pem -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.pem ===== CLIENT - klic a certifikat ===== **generovani klice clienta** >openssl genrsa -out client.key 2048 **generovani zadosti o certifikat clienta** >openssl req -config ./openssl.cnf -new -key client.key -out client.req **generovani certifikatu clienta** >openssl x509 -req -in client.req -CA cacert.pem -CAkey cakey.pem -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.pem **klientsky certifikat s heslem ve formatu pkcs12** >openssl pkcs12 -export -in client/client_test.pem -inkey client/client_test.key -out client/client_test.p12 [ req ] default_md = sha1 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Zkratka Zeme (2 znaky) countryName_default = CZ stateOrProvinceName = Zeme (cele jmeno) stateOrProvinceName_default = Czech Republic countryName_min = 2 countryName_max = 2 localityName = Mesto localityName_default = Mlada Boleslav organizationName = Firma organizationName_default = Nazev Firmy emailAddress = admin@domain.cz commonName = Smart CA commonName_max = 64 default_days = 3650 default_crl_days = 30 [ certauth ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true crlDistributionPoints = @crl [ server ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth nsCertType = server crlDistributionPoints = @crl [ client ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth nsCertType = client crlDistributionPoints = @crl [ crl ] URI=http://testca.local/ca.crl