Создание сертификата CA
bsd$ openssl req -nodes -new -newkey rsa:2048 -x509 -keyout ./ca.key -out ./ca.crt -config ./openssl-1.0.0.cnf -batch
Создание сертификата для сервера
bsd$ touch ./index.txt
bsd$ echo 01 | tee ./serial
bsd$ openssl req -new -newkey rsa:2048 -nodes -keyout ./server.key -out ./server.csr -config ./openssl-1.0.0.cnf -extensions server -batch
bsd$ openssl ca -out ./server.crt -in ./server.csr -config ./openssl-1.0.0.cnf -extensions server -batch
Создание сертификата для клиента
При подписании сертификата почему-то появлялась ошибка обновления базы данных, поэтому приходилось удалять все файлы вида./index.txt* и ./serial* и создавать их заново
bsd$ openssl req -new -newkey rsa:2048 -nodes -keyout ./client.key -out ./client.csr -config ./openssl-1.0.0.cnf -batch
bsd$ openssl ca -out ./client.crt -in ./client.csr -config ./openssl-1.0.0.cnf -batch
Листинг openssl-1.0.0.cnf (скачать)
| # For use with easy-rsa version 2.0 and OpenSSL 1.0.0* | ||
| [ ca ] | ||
| default_ca | = CA_default | # The default ca section |
| [ CA_default ] | ||
| dir | = ./ | # Where everything is kept |
| certs | = $dir | # Where the issued certs are kept |
| crl_dir | = $dir | # Where the issued crl are kept |
| database | = $dir/index.txt | # database index file. |
| new_certs_dir | = $dir | # default place for new certs. |
| certificate | = $dir/ca.crt | # The CA certificate |
| serial | = $dir/serial | # The current serial number |
| crl | = $dir/crl.pem | # The current CRL |
| private_key | = $dir/ca.key | # The private key |
| RANDFILE | = $dir/.rand | # private random number file |
| x509_extensions | = usr_cert | # The extentions to add to the cert |
| default_days | = 3650 | # how long to certify for |
| default_crl_days | = 30 | # how long before next CRL |
| default_md | = md5 | # use public key default MD |
| preserve | = no | # keep passed DN ordering |
| policy | = policy_anything | |
| [ policy_anything ] | |
| countryName | = optional |
| stateOrProvinceName | = optional |
| localityName | = optional |
| organizationName | = optional |
| organizationalUnitName | = optional |
| commonName | = supplied |
| name | = optional |
| emailAddress | = optional |
| [ req ] | |
| default_bits | = 2048 |
| distinguished_name | = req_distinguished_name |
| basicConstraints | = CA:FALSE |
| keyUsage | = nonRepudiation, digitalSignature, keyEncipherment |
| string_mask | = nombstr |
| [ req_distinguished_name ] | |
| countryName | = Country Name (2 letter code) |
| countryName_default | = RU |
| countryName_min | = 2 |
| countryName_max | = 2 |
| stateOrProvinceName | = State or Province Name (full name) |
| stateOrProvinceName_default | = province |
| localityName | = Locality Name (eg, city) |
| localityName_default | = city |
| 0.organizationName | = Organization Name (eg, company) |
| 0.organizationName_default | = org |
| organizationalUnitName | = Organizational Unit Name (eg, section) |
| organizationalUnitName_default | = ou |
| commonName | = Common Name (eg, your name or your server\'s hostname) |
| commonName_max | = 64 |
| commonName_default | = cn |
| name | = Name |
| name_max | = 64 |
| name_default | = name |
| emailAddress | = Email Address |
| emailAddress_default | = root@nowhere.com |
| emailAddress_max | = 40 |
| [ usr_cert ] | |
| basicConstraints | = CA:FALSE |
| subjectKeyIdentifier | = hash |
| authorityKeyIdentifier | = keyid,issuer:always |
| extendedKeyUsage | = clientAuth |
| keyUsage | = digitalSignature |
| [ server ] | |
| basicConstraints | = CA:FALSE |
| nsCertType | = server |
| subjectKeyIdentifier | = hash |
| authorityKeyIdentifier | = keyid,issuer:always |
| extendedKeyUsage | = serverAuth |
| keyUsage | = digitalSignature, keyEncipherment |
bsd$ less /usr/local/share/easy-rsa/pkitool
FreeBSD 10.0-RELEASE: Fri Dec 11 23:53:12 YEKT 2015