CA
openssl ecparam -name secp521r1 -out ec521.param
openssl genpkey -paramfile ec521.param -out root-ca.key
openssl ec -in root-ca.key -noout -text
openssl ec -aes-256-ecb -in root-ca.key -out root-ca-aes.key
Генерируем приватный ключ:
openssl genpkey -out some.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
создаем кофигурационный файл req.conf:
[req]
default_md = sha256
utf8 = yes
prompt = no
distinguished_name = req_dn
[req_dn]
countryName = UK
organizationName = ECMA Ltd
organizationalUnitName = WWW
commonName = www.ecma.com
Генерируем запрос на сертификат:
openssl req -new -key some.key -config req.conf -out some.csr
Проверить содержимое:
openssl req -in mycsr.csr -noout -text
Конфигурационный файл для подписи ca_serv.conf:
[default]
default_ca = ca_root
[x509_extensions]
basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[ca_root]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/private/ca-root.crt
private_key = $home/private/ca-root.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
подписываем на CA машине:
openssl ca -out host.crt -in
some.csr -config ca_serv.conf -extensions x509_extensions
проверяем
openssl x509 -in
host.crt -noout -text
http://pages.cs.wisc.edu/~zmiller/ca-howto/
http://www.madboa.com/geek/openssl/#cert-exam