= Setup of CA and certificates = (Credits to: https://www.rabbitmq.com/ssl.html)

== Setup of directories ==

    # mkdir cowca
    # cd cowca
    # mkdir certs private
    # chmod 700 private
    # echo 01 > serial
    # touch index.txt

== Setup of the openssl.cnf ==

    [ ca ]
    default_ca = cowca

    [ cowca ]
    dir = .
    certificate = $dir/cacert.pem
    database = $dir/index.txt
    new_certs_dir = $dir/certs
    private_key = $dir/private/cakey.pem
    serial = $dir/serial

    default_crl_days = 7
    default_days = 365
    default_md = sha1

    policy = cowca_policy
    x509_extensions = certificate_extensions

    [ cowca_policy ]
    commonName = supplied
    stateOrProvinceName = optional
    countryName = optional
    emailAddress = optional
    organizationName = optional
    organizationalUnitName = optional

    [ certificate_extensions ]
    basicConstraints = CA:false

    [ req ]
    default_bits = 2048
    default_keyfile = ./private/cakey.pem
    default_md = sha1
    prompt = yes
    distinguished_name = root_ca_distinguished_name
    x509_extensions = root_ca_extensions

    [ root_ca_distinguished_name ]
    commonName = hostname

    [ root_ca_extensions ]
    basicConstraints = CA:true
    keyUsage = keyCertSign, cRLSign

    [ client_ca_extensions ]
    basicConstraints = CA:false
    keyUsage = digitalSignature
    extendedKeyUsage = 1.3.6.1.5.5.7.3.2

    [ server_ca_extensions ]
    basicConstraints = CA:false
    keyUsage = keyEncipherment
    extendedKeyUsage = 1.3.6.1.5.5.7.3.1

== Generate key and certificates to be used with the CA ==

# openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
    -out cacert.pem -outform PEM -subj /CN=CowCA/ -nodes
# openssl x509 -in cacert.pem -out cacert.cer -outform DER

== Create server certificates ==

    # cd ..
    # mkdir server
    # cd server
    # openssl genrsa -out key.pem 2048
    # openssl req -new -key key.pem -out req.pem -outform PEM \
        -subj /CN=$(hostname)/O=server/ -nodes
    # cd ../cowca
    # openssl ca -config openssl.cnf -in ../server/req.pem -out \
        ../server/cert.pem -notext -batch -extensions server_ca_extensions
    # cd ../server
    # openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

== Create client certificates ==

    # cd ..
    # mkdir client
    # cd client
    # openssl genrsa -out key.pem 2048
    # openssl req -new -key key.pem -out req.pem -outform PEM \
        -subj /CN=$(hostname)/O=client/ -nodes
    # cd ../testca
    # openssl ca -config openssl.cnf -in ../client/req.pem -out \
        ../client/cert.pem -notext -batch -extensions client_ca_extensions
    # cd ../client
    # openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword