ECC

ECC X.509

mkdir -p cert/ecc

CA KEY

 openssl ecparam -genkey -name secp384r1 | \
 openssl ec -aes256 -out cert/ecc/caroot.key

 openssl req -config cert/ecc/synrc.cnf -days 3650 \
         -new -x509 \
         -key cert/ecc/caroot.key \
         -out cert/ecc/caroot.pem \
         -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=CA"

CA CRL

 openssl ca -config cert/ecc/synrc.cnf \
         -gencrl -out cert/ecc/eccroot.crl

SERVER KEY

 openssl req -config cert/ecc/synrc.cnf \
         -new -newkey ec:<(openssl ecparam -name secp384r1) \
         -keyout cert/ecc/server.key.enc \
         -out cert/ecc/server.csr \
         -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=SERVER"

 openssl ec -in cert/ecc/server.key.enc \
         -out cert/ecc/server.key

SERVER CERT

 openssl ca -config cert/ecc/synrc.cnf \
         -extensions server_cert \
         -days 730 \
         -in cert/ecc/server.csr \
         -out cert/ecc/server.pem \
         -cert cert/ecc/caroot.pem \
         -keyfile cert/ecc/caroot.key

CLIENT KEY

 openssl req -config cert/ecc/synrc.cnf -passout pass:0 \
         -new -newkey ec:<(openssl ecparam -name secp384r1) \
         -keyout cert/ecc/client.key \
         -out cert/ecc/client.csr \
         -subj "/C=UA/ST=Kyiv/O=SYNRC/CN=Maxim"

CLIENT CERT

 openssl ca -config cert/ecc/synrc.cnf \
         -extensions usr_cert \
         -days 365 \
         -in cert/ecc/client.csr \
         -out cert/ecc/client.pem \
         -cert cert/ecc/caroot.pem \
         -keyfile cert/ecc/caroot.key

CLIENT PFX

 openssl pkcs12 -export \
         -inkey cert/ecc/client.key \
         -in cert/ecc/client.pem \
         -out cert/ecc/client.p12

ECC CNF

 [ ca ]
 default_ca = CA_default

 [ CA_default ]
 dir               = /home/ubuntu/depot/synrc
 certs             = $dir/cert/ecc
 crl_dir           = $dir/cert/ecc
 new_certs_dir     = $dir/cert/ecc
 database          = $dir/cert/ecc/index.txt
 serial            = $dir/cert/ecc/serial
 RANDFILE          = $dir/cert/ecc/.rand
 private_key       = $dir/cert/ecc/caroot.key
 certificate       = $dir/cert/ecc/caroot.pem
 crlnumber         = $dir/cert/ecc/crlnumber
 crl               = $dir/cert/ecc/eccroot.crl
 crl_extensions    = crl_ext
 default_crl_days  = 3650
 default_md        = sha384
 name_opt          = ca_default
 cert_opt          = ca_default
 default_days      = 3650
 preserve          = no
 policy            = policy_strict

 [ policy_strict ]
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied

 [ req ]
 default_bits        = 2048
 distinguished_name  = req_distinguished_name
 string_mask         = utf8only
 default_md          = sha384
 x509_extensions     = v3_ca

 [ req_distinguished_name ]
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 commonName_default              = CA
 countryName_default             = UA
 stateOrProvinceName_default     = Kyiv
 localityName_default            = Kyiv
 0.organizationName_default      = SYNRC
 organizationalUnitName_default  = HQ

 [ v3_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

 [ v3_intermediate_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 crlDistributionPoints = @crl_info
 authorityInfoAccess = @ocsp_info

 [ usr_cert ]
 basicConstraints = CA:FALSE
 nsCertType = client, email
 nsComment = "Synrc Client Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
 subjectAltName = @alt_names

 [ server_cert ]
 basicConstraints = CA:FALSE
 nsCertType = server
 nsComment = "Synrc Server Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_info
 authorityInfoAccess = @ocsp_info
 subjectAltName = @alt_names

 [alt_names]
 DNS.0 = localhost

 [ crl_ext ]
 authorityKeyIdentifier=keyid:always

 [ ocsp ]
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, digitalSignature
 extendedKeyUsage = critical, OCSPSigning

 [crl_info]
 URI.0 = http://crl.n2o.dev:8081/eccroot.crl

 [ocsp_info]
 caIssuers;URI.0 = http://crl.n2o.dev:8081/eccroot.crt
 OCSP;URI.0 = http://ocsp.n2o.dev:8081/

LibreSSL

 openssl s_server -accept 8772 \
      -key cert/ecc/server.key \
      -cert cert/ecc/server.pem \
      -CAfile cert/ecc/caroot.pem -Verify 1

 openssl s_client -connect localhost:8772 \
      -key cert/ecc/client.key \
      -cert cert/ecc/client.pem \
      -CAfile cert/ecc/caroot.pem -showcerts