init

cmds.txt

@@ -0,0 +1,7 @@
+echo "00"> ser
+touch db  db.attr
+openssl req -x509 -new -keyout rootCA.key -out rootCA.crt -config root-ca.conf -days 365 -nodes
+openssl req -new -keyout zzz.key -out zzz.csr -nodes
+openssl ca -config root-ca.conf -in zzz.csr -out zzz.crt
+openssl pkcs12 -export -out zzz.pfx -inkey zzz.key -in zzz.crt
+

root-ca.conf

@@ -0,0 +1,86 @@
+[ default ]
+ca                      = rootCA               # CA name
+aia_url                 = http://defcon-russia.ru/any_path.cer?any=params     # CA certificate URL
+crl_url                 = http://defcon-russia.ru/any_path.crl?any=params      # CRL distribution point
+ocsp_url                = http://defcon-russia.ru/any_path?any=params    # OCSP responder URL
+name_opt                = multiline,-esc_msb,utf8 # Display UTF-8 characters
+
+# CA certificate request
+[ req ]
+default_bits            = 2048                  # RSA key size
+encrypt_key             = yes                   # Protect private key
+default_md              = sha1                  # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+countryName             = "DR"
+organizationName        = "DefconRussia"
+organizationalUnitName  = "DefconRussia CA"
+commonName              = "DefconRussia Root CA"
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+
+# CA operational settings
+[ ca ]
+default_ca              = root_ca               # The default CA section
+
+[ root_ca ]
+certificate             = $ca.crt       # The CA cert
+private_key             = $ca.key # CA private key
+new_certs_dir		= .
+database		 = db
+serial			= ser
+default_days            = 3652                  # How long to certify for
+unique_subject = no
+default_md              = sha1                  # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = $name_opt             # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = ca_ext   # Default cert extensions
+default_crl_days        = 1                    # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+[ match_pol ]
+countryName             = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+
+# Extensions
+
+[ ca_ext ]
+keyUsage                = critical,digitalSignature,keyEncipherment
+basicConstraints        = CA:false
+extendedKeyUsage        = serverAuth,clientAuth
+subjectKeyIdentifier    = hash
+#authorityKeyIdentifier  = keyid:always
+authorityInfoAccess     = @ocsp_info
+crlDistributionPoints   = @crl_info
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
+authorityInfoAccess     = @issuer_info
+
+[ ocsp_info ]
+caIssuers;URI.0         = $aia_url
+OCSP;URI.0              = $ocsp_url
+
+[ issuer_info ]
+caIssuers;URI.0         = $aia_url
+
+[ crl_info ]
+URI.0                   = $crl_url
+
+
+
+