I would like to create a selfsigned CA and then generate signed client and server certificates. For this purpose I executed the following commands:
Create CA key and selfigned CA certificate:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out ca-key.pem
openssl req -x509 -new -nodes -addext keyUsage=critical,cRLSign,keyCertSign -key ca-key.pem -sha256 -days 3000 -out ca-cert.pem -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=MyCompany/OU=MyProduct/CN=myDomain"
Create client certificate signed with CA:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out client-key.pem
openssl req -verbose -new -key client-key.pem -out client.csr -sha256 -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=MyCompany/OU=MyProduct/CN=myDomain"
openssl x509 -req -extensions client_server_ssl -extfile openssl-ext.conf -extensions client_server -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -days 3000 -CAcreateserial -out client-cert.pem
Content of openssl-ext.conf is:
[ client_server ]
keyUsage = digitalSignature, keyEncipherment, keyAgreement
Convert client cert to der format:
openssl x509 -inform PEM -outform DER -in client-cert.pem -out client-cert.der
Covert client key to der format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client-key.der -nocrypt
To generate the server certificate I basically repeat the process of the client certificate generation.
I have two issues with those certificates:
1. The function wolfSSL_CTX_use_PrivateKey_buffer(..., WOLFSSL_FILETYPE_ASN1) fails loading the client-key.der with a result code -4. However if I load the pem file and execute the function wolfSSL_CTX_use_PrivateKey_buffer(..., WOLFSSL_FILETYPE_PEM) I have no issue. What would be the reason?
2. Connection with these certificates does not work
I use openssl 1.1.1
Any help would be appreciated