Создание сертификата CA
bsd$ openssl req -nodes -new -newkey rsa:2048 -x509 -keyout ./ca.key -out ./ca.crt -config ./openssl-1.0.0.cnf -batch
Создание сертификата для сервера
bsd$ touch ./index.txt
bsd$ echo 01 | tee ./serial
bsd$ openssl req -new -newkey rsa:2048 -nodes -keyout ./server.key -out ./server.csr -config ./openssl-1.0.0.cnf -extensions server -batch
bsd$ openssl ca -out ./server.crt -in ./server.csr -config ./openssl-1.0.0.cnf -extensions server -batch
Создание сертификата для клиента
При подписании сертификата почему-то появлялась ошибка обновления базы данных, поэтому приходилось удалять все файлы вида./index.txt* и ./serial* и создавать их заново
bsd$ openssl req -new -newkey rsa:2048 -nodes -keyout ./client.key -out ./client.csr -config ./openssl-1.0.0.cnf -batch
bsd$ openssl ca -out ./client.crt -in ./client.csr -config ./openssl-1.0.0.cnf -batch
Листинг openssl-1.0.0.cnf (скачать)
| # For use with easy-rsa version 2.0 and OpenSSL 1.0.0* | ||
| [ ca ] | ||
| default_ca | = CA_default | # The default ca section |
| [ CA_default ] | ||
| dir | = ./ | # Where everything is kept |
| certs | = $dir | # Where the issued certs are kept |
| crl_dir | = $dir | # Where the issued crl are kept |
| database | = $dir/index.txt | # database index file. |
| new_certs_dir | = $dir | # default place for new certs. |
| certificate | = $dir/ca.crt | # The CA certificate |
| serial | = $dir/serial | # The current serial number |
| crl | = $dir/crl.pem | # The current CRL |
| private_key | = $dir/ca.key | # The private key |
| RANDFILE | = $dir/.rand | # private random number file |
| x509_extensions | = usr_cert | # The extentions to add to the cert |
| default_days | = 3650 | # how long to certify for |
| default_crl_days | = 30 | # how long before next CRL |
| default_md | = md5 | # use public key default MD |
| preserve | = no | # keep passed DN ordering |
| policy | = policy_anything | |
| [ policy_anything ] | ||
| countryName | = optional | |
| stateOrProvinceName | = optional | |
| localityName | = optional | |
| organizationName | = optional | |
| organizationalUnitName | = optional | |
| commonName | = supplied | |
| name | = optional | |
| emailAddress | = optional | |
| [ req ] | ||
| default_bits | = 2048 | |
| distinguished_name | = req_distinguished_name | |
| basicConstraints | = CA:FALSE | |
| keyUsage | = nonRepudiation, digitalSignature, keyEncipherment | |
| string_mask | = nombstr | |
| [ req_distinguished_name ] | ||
| countryName | = Country Name (2 letter code) | |
| countryName_default | = RU | |
| countryName_min | = 2 | |
| countryName_max | = 2 | |
| stateOrProvinceName | = State or Province Name (full name) | |
| stateOrProvinceName_default | = province | |
| localityName | = Locality Name (eg, city) | |
| localityName_default | = city | |
| 0.organizationName | = Organization Name (eg, company) | |
| 0.organizationName_default | = org | |
| organizationalUnitName | = Organizational Unit Name (eg, section) | |
| organizationalUnitName_default | = ou | |
| commonName | = Common Name (eg, your name or your server\'s hostname) | |
| commonName_max | = 64 | |
| commonName_default | = cn | |
| name | = Name | |
| name_max | = 64 | |
| name_default | = name | |
| emailAddress | = Email Address | |
| emailAddress_default | = root@nowhere.com | |
| emailAddress_max | = 40 | |
| [ usr_cert ] | ||
| basicConstraints | = CA:FALSE | |
| subjectKeyIdentifier | = hash | |
| authorityKeyIdentifier | = keyid,issuer:always | |
| extendedKeyUsage | = clientAuth | |
| keyUsage | = digitalSignature | |
| [ server ] | ||
| basicConstraints | = CA:FALSE | |
| nsCertType | = server | |
| subjectKeyIdentifier | = hash | |
| authorityKeyIdentifier | = keyid,issuer:always | |
| extendedKeyUsage | = serverAuth | |
| keyUsage | = digitalSignature, keyEncipherment | |
bsd$ less /usr/local/share/easy-rsa/pkitool
FreeBSD 10.0-RELEASE: Fri Dec 11 23:53:12 YEKT 2015