openssl

# https://blog.theodo.com/2015/09/protect-your-node-js-api-with-nginx-and-ssl-client-certificates/
# https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd


# pass:  86JKGO849723IALH5ENCB0UZRBTOW71731HBDOS61OB
# changeit

rm -f ca.crt ca.key client.crt client.csr client.key client.p12 client.pem password password.pub 

clear

ssh-keygen -t rsa

openssl rsa -in password -out ca.key

# openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt -config localhost.conf

openssl rsa -in password -out client.key
# openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# self-signed
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

openssl pkcs12 -in client.p12 -out client.pem -clcerts

openssl verify -verbose -CAfile ca.crt client.crt

# openssl verify -CApath ./

# keytool -import -alias proxy_saida -keystore /usr/lib/jvm/jdk-11.0.7/lib/security/cacerts -file /usr/share/ca-certificates/ca.crt

# openssl x509 -in client.crt -noout -purpose | grep 'SSL client :'

# openssl dhparam -out dhparam.pem 2048

# curl -v -k --key client.key --cert client.crt https://localhost/xxxx

curl -v -k \
    --cacert ca.crt \
    --key client.key \
    --cert client.crt \
    https://localhost/xxxx


# curl -v \
#     --cert bundle.pem:86JKGO849723IALH5ENCB0UZRBTOW71731HBDOS61OB \
#     https://localhost/xxxx

# sudo curl -v --insecure \
#     --cacert ca.crt \
#     https://localhost/xxxx

# wget --ca-certificate=ca.crt --certificate=client.pem \
#      --private-key=client.key https://localhost:443/xxxx

# cat client.key client.crt ca.crt > bundle.pem
# openssl pkcs12 -export -in bundle.pem -out bundle.p12