# Créer une CSR avec des SAN sur OpenSSL : https://net-security.fr/security/creer-une-csr-avec-des-san-sur-openssl/ # Provide subjectAltName to openssl directly on the command line : https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line # Creating RSA Keys using OpenSSL : https://www.scottbrady91.com/openssl/creating-rsa-keys-using-openssl # Open Quantum Safe interop test server for quantum-safe cryptography : https://test.openquantumsafe.org/ # OpenSSL Certificate Authority > Create the intermediate pair : https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html # strongX509 / docker / pq-strongswan / scripts / gen_certs.sh : https://github.com/strongX509/docker/blob/master/pq-strongswan/scripts/gen_certs.sh # ------------- # 20241104 # ------------------------------------------------------------------------------------------------ Créer un CA en RSA pour quelle soit valide dans les systemes d'exploitation et signer vos certificats clients avec. # --------- Creation de clefs de l'autorité de certificats. pki --gen --type rsa --size 4096 --outform pem > private/CAkey_LAB3W-RSA4096.pem #pki --gen --type falcon1024 --outform pem > private/caKey-falcon1024.pem #pki --gen --type ecdsa --size 384 --outform pem > private/caKey-ecdsa_384.pem #pki --gen --type ed25519 --outform pem > private/caKey-ed25519.pem #pki --gen --type rsa --size 3072 --outform pem > private/caKey-rsa_3072.pem # --------- Création des certificats de l'autorité (certifcat auto-signé) pki --self --ca --type rsa --in private/CAkey_LAB3W-RSA4096.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : RSA4096" --outform pem > x509ca/CAcert_LAB3W-RSA4096.pem #pki --self --ca --type priv --in private/caKey-falcon1024.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : FALCON1024" --outform pem > x509ca/caCert-falcon1024.pem #pki --self --ca --type ecdsa --in private/caKey-ecdsa_384.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : ECDSA384" --outform pem > x509ca/caCert-ecdsa_384.pem #pki --self --ca --type ed25519 --in private/caKey-ed25519.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : ED25519" --outform pem > x509ca/caCert-ed25519.pem #pki --self --ca --type rsa --in private/caKey-rsa_3072.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : RSA3072" --outform pem > x509ca/caCert-rsa_3072.pem # ------------------------------------------------------------------------------------------------ Créer des certificats des clients. # ------------------------------------------------ Exemple : # --------- Creation de clefs pour le client "MyClient" pki --gen --type rsa --size 3072 --outform pem > private/MyClient-Key-RSA3072.pem pki --gen --type rsa --size 4096 --outform pem > private/MyClient-Key-RSA4096.pem pki --gen --type ed25519 --outform pem > private/MyClient-Key-ed25519.pem pki --gen --type ecdsa --size 384 --outform pem > private/MyClient-Key-ecdsa-384.pem pki --gen --type ed448 --outform pem > private/MyClient-Key-ed448.pem pki --gen --type ecdsa --size 521 --outform pem > private/MyClient-Key-ecdsa-521.pem pki --gen --type dilithium5 --outform pem > private/MyClient-Key-dilithium5.pem pki --gen --type falcon1024 --size 1024 --outform pem > private/MyClient-Key-falcon1024.pem # --------- Creation de la demande à faire signer par "CAcert_LAB3W-RSA4096.pem" pki --req --type priv --in private/MyClient-Key-Dilithium5.pem --dn "C=FR, O=LAB3W, CN=MyClient" --san MyClient --san MyClient_AltName --outform pem > tmp/MyClient-Req-XXX.pem # --------- Création du certificat du client "MyClient" pki --issue --cacert x509ca/CAcert_LAB3W-RSA4096.pem --cakey private/CAkey_LAB3W-RSA4096.pem --type pkcs10 --in tmp/MyClient-Req-XXX.pem --serial 01 --lifetime 1826 --outform pem > x509/MyClient-Cert-Dilithium5-signed-by-CAcert_LAB3W-RSA4096.pem # ------------------------------------------------ # ------------------------------------------------ Creation des clefs pour le client "vps.uk.ipv10.net" pki --gen --type dilithium5 --outform pem > private/vps.uk.ipv10.net-Key-Dilithium5.pem # --------- Creation de la demande à faire signer pki --req --type priv --in private/vps.uk.ipv10.net-Key-Dilithium5.pem --dn "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" --san vps.uk.lab3w.com --san vps.uk.zw3b.net --outform pem > tmp/vps.uk.ipv10.net-Req-XXX.pem # --------- Création des certificats du client pki --issue --cacert x509ca/CAcert_LAB3W-RSA4096.pem --cakey private/CAkey_LAB3W-RSA4096.pem --type pkcs10 --in tmp/vps.uk.ipv10.net-Req-XXX.pem --serial 01 --lifetime 1826 --outform pem > x509/vps.uk.ipv10.net-Cert-Dilithium5-signed-by-CAcert_LAB3W-RSA4096.pem # ------------------------------------------------ # ------------------------------------------------------------------------------------------------ # Lire un certificat root@vps-de:/etc/swanctl # pki --print --type x509 --in /root/swanctl/x509ca/caCert-ecdsa-384.pem subject: "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" issuer: "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" validity: not before Jan 10 01:43:36 2024, ok not after Jan 09 01:43:36 2034, ok (expires in 3384 days) serial: 1a:7e:dd:79:67:21:10:b0 flags: CA CRLSign self-signed subjkeyId: db:bf:14:24:2a:bc:e6:8f:44:51:b2:46:1e:b2:d4:2e:c2:1c:3a:75 pubkey: ECDSA 384 bits keyid: 8f:da:bb:de:e9:4f:e8:4f:c9:9c:28:43:28:25:93:55:67:e5:13:98 subjkey: db:bf:14:24:2a:bc:e6:8f:44:51:b2:46:1e:b2:d4:2e:c2:1c:3a:75 root@vps-de:/etc/swanctl # openssl x509 --text --in /root/swanctl/x509ca/caCert-ecdsa-384.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1909206805542670512 (0x1a7edd79672110b0) Signature Algorithm: ecdsa-with-SHA384 Issuer: C = FR, O = LAB3W, CN = ZW3B Cyber Root CA Validity Not Before: Jan 10 00:43:36 2024 GMT Not After : Jan 9 00:43:36 2034 GMT Subject: C = FR, O = LAB3W, CN = ZW3B Cyber Root CA Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:92:10:b0:8c:c5:cd:30:4b:42:88:7e:93:f4:39: 88:2b:e8:84:80:5e:5a:fa:2a:22:14:42:c9:a0:02: 68:03:4c:01:e4:aa:f3:1d:99:24:34:e2:d9:b1:85: 9e:bc:60:39:3c:5f:a1:35:d7:4f:7c:03:9f:4b:7f: 80:60:1f:66:70:ff:0a:db:ab:b9:9d:6f:f8:9d:e0: 29:6a:dc:6a:39:35:85:89:45:19:d8:d6:8e:2e:2d: 28:14:99:fa:a6:b2:41 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: DB:BF:14:24:2A:BC:E6:8F:44:51:B2:46:1E:B2:D4:2E:C2:1C:3A:75 Signature Algorithm: ecdsa-with-SHA384 30:65:02:30:4f:02:da:a7:8a:c5:b2:76:f2:8b:20:ae:e1:6f: 29:c6:db:d0:02:81:36:ac:7d:2e:f6:b1:ae:20:20:69:cf:a4: 79:23:12:70:a4:e7:4c:78:ff:f9:ab:47:68:91:da:f2:02:31: 00:e5:66:21:49:91:f7:16:06:fd:09:4e:19:68:f9:fc:66:cf: 92:b0:ec:c3:21:93:fa:da:8d:74:01:b4:fb:78:9f:23:1c:d8: 5c:70:92:c8:55:e9:83:21:c8:84:1d:33:a3 -----BEGIN CERTIFICATE----- MIIB6TCCAW+gAwIBAgIIGn7deWchELAwCgYIKoZIzj0EAwMwOjELMAkGA1UEBhMC RlIxDjAMBgNVBAoTBUxBQjNXMRswGQYDVQQDExJaVzNCIEN5YmVyIFJvb3QgQ0Ew HhcNMjQwMTEwMDA0MzM2WhcNMzQwMTA5MDA0MzM2WjA6MQswCQYDVQQGEwJGUjEO MAwGA1UEChMFTEFCM1cxGzAZBgNVBAMTElpXM0IgQ3liZXIgUm9vdCBDQTB2MBAG ByqGSM49AgEGBSuBBAAiA2IABJIQsIzFzTBLQoh+k/Q5iCvohIBeWvoqIhRCyaAC aANMAeSq8x2ZJDTi2bGFnrxgOTxfoTXXT3wDn0t/gGAfZnD/CturuZ1v+J3gKWrc ajk1hYlFGdjWji4tKBSZ+qayQaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B Af8EBAMCAQYwHQYDVR0OBBYEFNu/FCQqvOaPRFGyRh6y1C7CHDp1MAoGCCqGSM49 BAMDA2gAMGUCME8C2qeKxbJ28osgruFvKcbb0AKBNqx9LvaxriAgac+keSMScKTn THj/+atHaJHa8gIxAOVmIUmR9xYG/QlOGWj5/GbPkrDswyGT+tqNdAG0+3ifIxzY XHCSyFXpgyHIhB0zow== -----END CERTIFICATE----- # ------------- # 20241030 # Certificats de AC et des serveurs ca fr uk de - A refaire/verifier une plus forte authorité de signature. # Ici j'ai signé en rsa_3072 avec x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem # ----------------------------------------------------- # AC debian 11 bullseye pq-strongswan 6.0 # --- # Creation de clefs de l'autorité de certificats pki --gen --type falcon1024 --outform pem > private/LAB3W_ZW3B-caKey-falcon1024.pem pki --gen --type ecdsa --size 384 --outform pem > private/LAB3W_ZW3B-caKey-ecdsa_384.pem pki --gen --type ed25519 --outform pem > private/LAB3W_ZW3B-caKey-ed25519.pem pki --gen --type rsa --size 3072 --outform pem > private/LAB3W_ZW3B-caKey-rsa_3072.pem # Création des certificats de l'autorité (certifcat auto-signé) pki --self --ca --type priv --in private/LAB3W_ZW3B-caKey-falcon1024.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : falcon1024" --outform pem > x509ca/LAB3W_ZW3B-caCert-falcon1024.pem pki --self --ca --type ecdsa --in private/LAB3W_ZW3B-caKey-ecdsa_384.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : ecdsa_384" --outform pem > x509ca/LAB3W_ZW3B-caCert-ecdsa_384.pem pki --self --ca --type ed25519 --in private/LAB3W_ZW3B-caKey-ed25519.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : ed25519" --outform pem > x509ca/LAB3W_ZW3B-caCert-ed25519.pem pki --self --ca --type rsa --in private/LAB3W_ZW3B-caKey-rsa_3072.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" --outform pem > x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem # ----------------------------------------------------- # Serveur CA (srv.ca.lab3w.com) debian 12 bookworm pq-strongswan 6.0 # --- # falcon1024 ----------------------- pki --gen --type falcon1024 --outform pem > private/srv.ca.lab3w.com-Key-falcon1024.pem pki --req --type priv --in private/srv.ca.lab3w.com-Key-falcon1024.pem \ --dn "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" \ --san srv.ca.lab3w.com --outform pem > tmp/srv.ca.lab3w.com-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem # Signature falcon1024 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-falcon1024.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-falcon1024.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-falcon1024-sign_ca-falcon1024.pem # dilithium5 ----------------------- pki --gen --type dilithium5 --outform pem > private/srv.ca.lab3w.com-Key-dilithium5.pem pki --req --type priv --in private/srv.ca.lab3w.com-Key-dilithium5.pem \ --dn "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" \ --san srv.ca.lab3w.com --outform pem > tmp/srv.ca.lab3w.com-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-dilithium5-sign_ca-rsa_3072.pem # Signature falcon1024 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-falcon1024.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-falcon1024.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-dilithium5-sign_ca-falcon1024.pem # ed25519 ----------------------- pki --gen --type ed25519 --outform pem > private/srv.ca.lab3w.com-Key-ed25519.pem pki --req --type priv --in private/srv.ca.lab3w.com-Key-ed25519.pem \ --dn "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" \ --san srv.ca.lab3w.com --outform pem > tmp/srv.ca.lab3w.com-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-ed25519-sign_ca-rsa_3072.pem # Signature ed25519 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-ed25519.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-ed25519.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-ed25519-sign_ca-ed25519.pem # rsa_3072 ----------------------- openssl genrsa -out private/srv.ca.lab3w.com-Key-rsa_3072.pem 3072 pki --gen --type rsa --size 3072 --outform pem > private/srv.ca.lab3w.com-Key-rsa_3072.pem openssl req -new -x509 -key private/srv.ca.lab3w.com-Key-rsa_3072.pem -out tmp/srv.ca.lab3w.com-Req.pem -days 360 openssl req -new -subj "/C=FR/O=LAB3W/CN=srv.ca.lab3w.com" -addext "subjectAltName = DNS:srv.ca.lab3w.com" -keyout private/srv.ca.lab3w.com-Key-rsa_3072.pem -out tmp/srv.ca.lab3w.com-Req.pem -days 360 pki --req --type priv --in private/srv.ca.lab3w.com-Key-rsa_3072.pem \ --dn "C=FR, O=LAB3W, CN=srv.ca.lab3w.com" \ --san srv.ca.lab3w.com --outform pem > tmp/srv.ca.lab3w.com-Req.pem # Signature rsa_3072 openssl ca -policy policy_anything -out CA_LAB3W/zw3b.fr.cert.pem -infiles CA_LAB3W/zw3b.fr.newreq.pem pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/srv.ca.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem # ----------------------------------------------------- # Serveur FR (srv.fr.lab3w.com) debian 12 bookworm pq-strongswan 6.0 # --- # falcon1024 ----------------------- pki --gen --type falcon1024 --outform pem > private/srv.fr.lab3w.com-Key-falcon1024.pem pki --req --type priv --in private/srv.fr.lab3w.com-Key-falcon1024.pem \ --dn "C=FR, O=LAB3W, CN=srv.fr.lab3w.com" \ --san srv.fr.lab3w.com --outform pem > tmp/srv.fr.lab3w.com-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/srv.fr.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.fr.lab3w.com-Cert-falcon1024-sign_ca-rsa_3072.pem # Signature falcon1024 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-falcon1024.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-falcon1024.pem \ --type pkcs10 --in tmp/srv.fr.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.fr.lab3w.com-Cert-falcon1024-sign_ca-falcon1024.pem # dilithium5 ----------------------- pki --gen --type dilithium5 --outform pem > private/vps.uk.ipv10.net-Key-dilithium5.pem pki --req --type priv --in private/vps.uk.ipv10.net-Key-dilithium5.pem \ --dn "C=FR, O=LAB3W, CN=srv.fr.lab3w.com" \ --san srv.fr.lab3w.com --outform pem > tmp/srv.fr.lab3w.com-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/srv.fr.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.fr.lab3w.com-Cert-dilithium5-sign_ca-rsa_3072.pem # Signature falcon1024 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-falcon1024.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-falcon1024.pem \ --type pkcs10 --in tmp/srv.fr.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.fr.lab3w.com-Cert-dilithium5-sign_ca-falcon1024.pem # ed25519 ----------------------- pki --gen --type ed25519 --outform pem > private/vps.uk.ipv10.net-Key-ed25519.pem pki --req --type priv --in private/srv.fr.lab3w.com-Key-ed25519.pem \ --dn "C=FR, O=LAB3W, CN=srv.fr.lab3w.com" \ --san srv.fr.lab3w.com --outform pem > tmp/srv.fr.lab3w.com-Req.pem # Signature ed25519 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-ed25519.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-ed25519.pem \ --type pkcs10 --in tmp/srv.fr.lab3w.com-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/srv.fr.lab3w.com-Cert-ed25519-sign_ca-ed25519.pem # ----------------------------------------------------- # Serveur UK (vps.uk.ipv10.net) debian 12 bookworm pq-strongswan 6.0 # --- # falcon1024 ----------------------- pki --gen --type falcon1024 --outform pem > private/vps.uk.ipv10.net-Key-falcon1024.pem pki --req --type priv --in private/vps.uk.ipv10.net-Key-falcon1024.pem \ --dn "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" \ --san vps.uk.ipv10.net --outform pem > tmp/vps.uk.ipv10.net-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/vps.uk.ipv10.net-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps.uk.ipv10.net-Cert-falcon1024-sign_ca-rsa_3072.pem # Signature falcon1024 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-falcon1024.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-falcon1024.pem \ --type pkcs10 --in tmp/vps.uk.ipv10.net-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps.uk.ipv10.net-Cert-dilithium5-sign_ca-falcon1024.pem # dilithium5 ----------------------- pki --gen --type dilithium5 --outform pem > private/vps.uk.ipv10.net-Key-dilithium5.pem pki --req --type priv --in private/vps.uk.ipv10.net-Key-dilithium5.pem \ --dn "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" \ --san vps.uk.ipv10.net --outform pem > tmp/vps.uk.ipv10.net-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/vps.uk.ipv10.net-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps.uk.ipv10.net-Cert-dilithium5-sign_ca-falcon1024.pem # Signature falcon1024 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-falcon1024.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-falcon1024.pem \ --type pkcs10 --in tmp/vps.uk.ipv10.net-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps.uk.ipv10.net-Cert-dilithium5-sign_ca-falcon1024.pem # ed25519 ----------------------- pki --gen --type ed25519 --outform pem > private/vps.uk.ipv10.net-Key-ed25519.pem pki --req --type priv --in private/vps.uk.ipv10.net-Key-ed25519.pem \ --dn "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" \ --san vps.uk.ipv10.net --outform pem > tmp/vps.uk.ipv10.net-Req.pem pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-ed25519.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-ed25519.pem \ --type pkcs10 --in tmp/vps.uk.ipv10.net-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps.uk.ipv10.net-Cert-ed25519-sign_ca-ed25519.pem # ----------------------------------------------------- # Serveur DE (vps.fr.ipv10.net) debian 12 bookworm pq-strongswan 6.0 # --- # falcon1024 ----------------------- pki --gen --type falcon1024 --outform pem > private/vps.de.ipv10.net-Key-falcon1024.pem pki --req --type priv --in private/vps.de.ipv10.net-Key-falcon1024.pem \ --dn "C=FR, O=LAB3W, CN=vps.de.ipv10.net" \ --san vps.de.ipv10.net --outform pem > tmp/vps.de.ipv10.net-Req.pem # Signature rsa_3072 pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey /etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/vps.de.ipv10.net-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps.de.ipv10.net-Cert-falcon1024-sign_ca-rsa_3072.pem # ----------------------------------------------------- # Client 1 (windows) - test in Android # --- pki --gen --type rsa --size 3072 --outform pem > private/orj-Key-rsa_3072.pem pki --req --type priv --in private/orj-Key-rsa_3072.pem \ --dn "C=FR, O=LAB3W, CN=orj@lab3w.fr" \ --san orj@lab3w.fr --san orj@lab3w.com --outform pem > tmp/orj-Req.pem pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/orj-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/orj-Cert-rsa_3072-sign_ca-rsa_3072.pem openssl pkcs12 -export -inkey private/orj-Key-rsa3072.pem \ -in x509/orjCert-rsa_3072-sign_ca-rsa_3072.pem -name "O.Romain.Jaillet-ramey" \ -certfile x509ca/caCert-rsa_3072.pem -caname "ZW3B Cyber Root CA" \ -out pkcs12/orj-Cert-rsa_3072-sign_ca-rsa_3072.p12 # -----------------------------------------------------