Table of Contents

Generování SSL certifikátů

CERTIFIKACNI AUTORITA

openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout cakey.pem -x509 -days 3650 -extensions certauth -outform PEM -out cacert.pem

SERVER - klic a certifikat

generovani klice serveru

openssl genrsa -out server.key 2048

generovani zadosti o certifikat serveru

openssl req -config ./openssl.cnf -new -key server.key -out server.req

generovani certifikatu serveru

openssl x509 -req -in server.req -CA cacert.pem -CAkey cakey.pem -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.pem

CLIENT - klic a certifikat

generovani klice clienta

openssl genrsa -out client.key 2048

generovani zadosti o certifikat clienta

openssl req -config ./openssl.cnf -new -key client.key -out client.req

generovani certifikatu clienta

openssl x509 -req -in client.req -CA cacert.pem -CAkey cakey.pem -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.pem

klientsky certifikat s heslem ve formatu pkcs12

openssl pkcs12 -export -in client/client_test.pem -inkey client/client_test.key -out client/client_test.p12
openssl.cnf
[ req ]
default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName 			= Zkratka Zeme (2 znaky)
countryName_default 		= CZ
stateOrProvinceName 		= Zeme (cele jmeno)
stateOrProvinceName_default 	= Czech Republic
countryName_min 		= 2
countryName_max 		= 2
localityName 			= Mesto
localityName_default 		= Mlada Boleslav
organizationName 		= Firma
organizationName_default 	= Nazev Firmy
emailAddress			= admin@domain.cz
commonName 			= Smart CA
commonName_max 			= 64
default_days   			= 3650
default_crl_days		= 30

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
crlDistributionPoints = @crl

[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
crlDistributionPoints = @crl

[ client ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client
crlDistributionPoints = @crl

[ crl ]
URI=http://testca.local/ca.crl