====== Generování SSL certifikátů ======

===== CERTIFIKACNI AUTORITA =====
>openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout cakey.pem -x509 -days 3650 -extensions certauth -outform PEM -out cacert.pem

===== SERVER - klic a certifikat =====

**generovani klice serveru**
>openssl genrsa -out server.key 2048

**generovani zadosti o certifikat serveru**
>openssl req -config ./openssl.cnf -new -key server.key -out server.req

**generovani certifikatu serveru**
>openssl x509 -req -in server.req -CA cacert.pem -CAkey cakey.pem -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.pem 

===== CLIENT - klic a certifikat =====

**generovani klice clienta**
>openssl genrsa -out client.key 2048 

**generovani zadosti o certifikat clienta**
>openssl req -config ./openssl.cnf -new -key client.key -out client.req

**generovani certifikatu clienta**
>openssl x509 -req -in client.req -CA cacert.pem -CAkey cakey.pem -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.pem

**klientsky certifikat s heslem ve formatu pkcs12**
>openssl pkcs12 -export -in client/client_test.pem -inkey client/client_test.key -out client/client_test.p12

<file - openssl.cnf>
[ req ]
default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName 			= Zkratka Zeme (2 znaky)
countryName_default 		= CZ
stateOrProvinceName 		= Zeme (cele jmeno)
stateOrProvinceName_default 	= Czech Republic
countryName_min 		= 2
countryName_max 		= 2
localityName 			= Mesto
localityName_default 		= Mlada Boleslav
organizationName 		= Firma
organizationName_default 	= Nazev Firmy
emailAddress			= admin@domain.cz
commonName 			= Smart CA
commonName_max 			= 64
default_days   			= 3650
default_crl_days		= 30

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl

[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
crlDistributionPoints = @crl

[ client ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client
crlDistributionPoints = @crl

[ crl ]
URI=http://testca.local/ca.crl 
</file>