Данные для сертификата SSL CA v1 - PullRequest
Новая
       13

Данные для сертификата SSL CA v1

0 голосов
/ 14 января 2020

Использование небольшого java приложения, которое пытается подключиться к серверу MQTT Mosquitto: 

public class TestMQTT3 {

    public static void main(String[] args) {
        System.out.println("Starting");

        String serverUrl = "ssl://192.168.1.8:8887";
        String path= "C:\\projects\\certs\\v1cert1\\";      


        String caFilePath =path+"ca.crt";

        String mqttUserName = "b";
        String mqttPassword = "b";

        MqttClient client;
        try {
            client = new MqttClient(serverUrl, "2");
            MqttConnectOptions options = new MqttConnectOptions();
            options.setUserName(mqttUserName);
            options.setPassword(mqttPassword.toCharArray());

            options.setConnectionTimeout(60);
            options.setKeepAliveInterval(60);
            options.setMqttVersion(MqttConnectOptions.MQTT_VERSION_3_1);


            //SSLSocketFactory socketFactory = getSocketFactory2(caFilePath,clientCrtFilePath, clientPKCS8KeyFilePath, "vlk32gm5");
            SSLSocketFactory socketFactory = getSocketFactory3(caFilePath);
            options.setSocketFactory(socketFactory);

            System.out.println("starting connect the server...");
            client.connect(options);
            System.out.println("connected!");
            Thread.sleep(1000);

            client.subscribe(
                    "/u/56ca327d17531d08e76bddd4a215e37f5fd6082f7442151c4d3f1d100a0ffd4e",
                    0);
            client.disconnect();
            System.out.println("disconnected!");


        } catch (MqttException e) {
            e.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();
        }

    }



    private static SSLSocketFactory getSocketFactory3(final String caCrtFile) throws Exception 
    {
        Security.addProvider(new BouncyCastleProvider());

        // load CA certificate
        X509Certificate caCert = null;

        FileInputStream fis = new FileInputStream(caCrtFile);
        BufferedInputStream bis = new BufferedInputStream(fis);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        while (bis.available() > 0) 
        {
            caCert = (X509Certificate) cf.generateCertificate(bis);
            System.out.println(caCert.toString());
        }



        // CA certificate is used to authenticate server
        KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
        caKs.load(null, null);
        caKs.setCertificateEntry("ca-certificate", caCert);
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
        tmf.init(caKs);


        // finally, create SSL socket factory
        SSLContext context = SSLContext.getInstance("TLSv1.2");
        context.init(null, tmf.getTrustManagers(), null);

        return context.getSocketFactory();
    }


}

Получено исключение no more data allowed for version 1 certificate. Означает ли это, что я добавил слишком много при создании сертификатов? Как это исправить?

Всего исключений: 

[
[
  Version: V1
  Subject: CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=EN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 22719559810083517491909000247132339461249719470652949862986827334901608600589679732441866997871147310866338850348308507945917576447555464822610703376220268171095737986004282342692433176036425215221660818545052652869581909689937776657975043908350238689319487771097966974817677894035239075257295777450253608248548795164791768001746409155638235628618974146122052642336965142533832882363992270778518206243586048144562512054071590298533267455082804212003487463538257377318690253962622465146752210606430933731401326048010743114828777989958366127133559917492234562152725553902506941299715458542263237882048715132459709162823
  public exponent: 65537
  Validity: [From: Mon Jan 13 19:52:59 EET 2020,
               To: Thu Jan 10 19:52:59 EET 2030]
  Issuer: CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=EN
  SerialNumber: [    de16bc63 b78467ee]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 6C E8 E4 8C 66 ED 4D 2C   E7 7F 02 8D 59 AD 52 64  l...f.M,....Y.Rd
0010: 8C 11 80 38 F7 35 42 8B   A6 EB 4F D3 79 5B AF A8  ...8.5B...O.y[..
0020: CC 24 9D C8 1D 31 BC 89   CA CB 83 7B 77 93 41 73  .$...1......w.As
0030: 4A C7 8C DA 38 D1 1A DC   21 9A B6 F3 0F C4 AC 6D  J...8...!......m
0040: 03 1B 00 C9 B5 40 DE 32   12 D2 B1 66 7F 7B 1A 8F  .....@.2...f....
0050: FC E3 19 24 6B DE 31 3B   5E C0 07 6C B6 9C 67 07  ...$k.1;^..l..g.
0060: 14 19 61 58 2B C0 1B CF   B6 CB 10 6E 25 2C 85 66  ..aX+......n%,.f
0070: 61 54 1E 29 E2 24 0F 14   BB A5 21 AC 93 92 D6 2E  aT.).$....!.....
0080: 55 AF 80 5D DE A2 CE 70   D0 D7 F3 1C 9F 4F 07 05  U..]...p.....O..
0090: 15 71 C7 0C C8 5E B4 1B   87 65 68 30 26 3C EE 00  .q...^...eh0&<..
00A0: 05 1E CF E8 41 6B 17 31   9C A5 BE CD 15 E9 39 0E  ....Ak.1......9.
00B0: 90 92 97 ED A2 C5 F9 1C   21 9F 6A DF 36 53 4B 84  ........!.j.6SK.
00C0: A0 1F C7 99 36 BC 15 FA   10 84 C9 27 0A CE 9D F3  ....6......'....
00D0: D5 28 B3 D5 C0 72 DA CD   F2 0B 91 72 03 D3 48 48  .(...r.....r..HH
00E0: 78 75 C8 95 1F 03 C7 10   4D D1 60 C0 73 95 B9 9E  xu......M.`.s...
00F0: 90 3D F2 69 A6 9A AF 8B   95 DD 3F 18 C8 6A EE E1  .=.i......?..j..

]
adding as trusted cert:
  Subject: CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=EN
  Issuer:  CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=EN
  Algorithm: RSA; Serial number: 0xde16bc63b78467ee
  Valid from Mon Jan 13 19:52:59 EET 2020 until Thu Jan 10 19:52:59 EET 2030

System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trigger seeding of SecureRandom
done seeding SecureRandom
starting connect the server...
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
MQTT Con: 2, setSoTimeout(1000) called
MQTT Con: 2, setSoTimeout(60000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1578882131 bytes = { 57, 222, 150, 110, 156, 181, 223, 196, 49, 119, 224, 10, 49, 155, 71, 116, 198, 224, 188, 11, 171, 60, 141, 36, 81, 46, 19, 89 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=192.168.1.8]
***
MQTT Con: 2, WRITE: TLSv1.2 Handshake, length = 199
MQTT Con: 2, READ: TLSv1.2 Handshake, length = 81
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -817156553 bytes = { 175, 214, 119, 236, 117, 110, 42, 142, 130, 202, 231, 127, 145, 104, 168, 165, 214, 135, 240, 0, 215, 235, 60, 110, 181, 100, 164, 181 }
Session ID:  {9, 153, 67, 139, 84, 185, 224, 62, 87, 199, 169, 158, 226, 206, 196, 247, 4, 179, 239, 181, 48, 130, 249, 113, 252, 105, 139, 94, 134, 171, 186, 162}
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_256_GCM_SHA384]
** TLS_RSA_WITH_AES_256_GCM_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
MQTT Con: 2, READ: TLSv1.2 Handshake, length = 1693
check handshake state: certificate[11]
MQTT Con: 2, handling exception: javax.net.ssl.SSLProtocolException: no more data allowed for version 1 certificate
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_256_GCM_SHA384]
MQTT Con: 2, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
MQTT Con: 2, WRITE: TLSv1.2 Alert, length = 2
MQTT Con: 2, called closeSocket()
MQTT Con: 2, called close()
MQTT Con: 2, called closeInternal(true)
MqttException (0) - javax.net.ssl.SSLProtocolException: no more data allowed for version 1 certificate
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLProtocolException: no more data allowed for version 1 certificate
    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:458)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:221)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
    ... 1 more
Caused by: java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate
    at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:672)
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167)
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
    at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:104)
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:455)
    ... 10 more

Сертификаты V1 поколения: 

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config san_ca.cnf

openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config san_server.cnf
openssl ca -config san_server.cnf -create_serial -batch -in server.csr -out server.crt

openssl req -out client.csr -newkey rsa:2048 -nodes -keyout client.key -config san_client.cnf
openssl ca -config san_client.cnf -create_serial -batch -in client.csr -out client.crt

Файлы конфигурации:

san_ca.cnf 

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[req_distinguished_name]
countryName                 =EN
stateOrProvinceName         = Some-State
localityName               = London
organizationName           = KKK
commonName                 = 192.168.1.8
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1   = 192.168.1.8
DNS.1   = glass

san_server.cnf 

[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=$dir/index.txt
new_certs_dir=$dir/newcerts
serial=$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=optional
emailAddress=optional

[req]
prompt=no
distinguished_name=req_distinguished_name
req_extensions=v3_req
#x509_extensions=v3_ca

[req_distinguished_name]
countryName=EN
stateOrProvinceName=Some-State
localityName=London
organizationName=Internet Widgits Pty Ltd
commonName=192.168.1.8

[v3_req]
subjectAltName=@alt_names

[v3_ca]
subjectAltName=@alt_names

[alt_names]
IP.1=127.0.0.1
IP.2=192.168.1.8
DNS.1=localhost

ca.cer Подробнее: 

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            de:16:bc:63:b7:84:67:ee
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=EN, ST=Some-State, L=London, O=KKK, CN=192.168.1.8
        Validity
            Not Before: Jan 13 17:52:59 2020 GMT
            Not After : Jan 10 17:52:59 2030 GMT
        Subject: C=EN, ST=Some-State, L=London, O=KKK, CN=192.168.1.8
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b3:f9:3c:9b:86:2f:95:6c:45:6e:2d:98:69:c4:
                    39:4e:22:c4:f7:f1:b6:66:c4:59:d3:f5:bb:fb:f9:
                    3e:fc:a5:8b:07:9f:2f:f6:05:24:33:54:3b:50:3f:
                    96:40:69:40:68:85:b0:1c:43:65:d0:36:73:1f:cd:
                    3e:0b:6a:32:fe:95:4d:4c:be:cb:e9:04:44:d1:6f:
                    ab:79:da:48:28:06:cf:09:20:5b:04:69:ec:64:c8:
                    a9:3e:9e:e4:da:12:0d:04:da:63:3c:f8:55:c0:3a:
                    df:00:56:95:f7:d3:7d:1e:d5:de:d9:4c:ff:98:b5:
                    e9:98:5c:59:54:15:b5:b5:06:48:99:6f:db:1a:22:
                    1f:e5:9a:f4:fa:9e:b0:9f:6b:77:7b:a4:bc:45:ed:
                    10:ec:d0:a8:71:2f:77:e0:b8:16:9b:d1:9b:f7:6f:
                    22:db:f1:47:8e:4d:e7:18:cc:76:6b:ff:68:76:1f:
                    3a:80:c5:16:a9:71:ce:a2:2c:fa:4f:ec:f2:21:74:
                    a7:82:54:69:07:bb:0e:d9:d3:60:24:4b:67:fa:be:
                    f7:02:13:b1:90:b8:aa:86:d6:84:93:73:ee:66:b6:
                    45:29:9c:99:d0:6b:67:30:1a:b0:cf:af:99:51:ed:
                    9d:63:5f:d6:50:49:bc:f5:24:02:66:48:2f:2f:50:
                    e5:47
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         6c:e8:e4:8c:66:ed:4d:2c:e7:7f:02:8d:59:ad:52:64:8c:11:
         80:38:f7:35:42:8b:a6:eb:4f:d3:79:5b:af:a8:cc:24:9d:c8:
         1d:31:bc:89:ca:cb:83:7b:77:93:41:73:4a:c7:8c:da:38:d1:
         1a:dc:21:9a:b6:f3:0f:c4:ac:6d:03:1b:00:c9:b5:40:de:32:
         12:d2:b1:66:7f:7b:1a:8f:fc:e3:19:24:6b:de:31:3b:5e:c0:
         07:6c:b6:9c:67:07:14:19:61:58:2b:c0:1b:cf:b6:cb:10:6e:
         25:2c:85:66:61:54:1e:29:e2:24:0f:14:bb:a5:21:ac:93:92:
         d6:2e:55:af:80:5d:de:a2:ce:70:d0:d7:f3:1c:9f:4f:07:05:
         15:71:c7:0c:c8:5e:b4:1b:87:65:68:30:26:3c:ee:00:05:1e:
         cf:e8:41:6b:17:31:9c:a5:be:cd:15:e9:39:0e:90:92:97:ed:
         a2:c5:f9:1c:21:9f:6a:df:36:53:4b:84:a0:1f:c7:99:36:bc:
         15:fa:10:84:c9:27:0a:ce:9d:f3:d5:28:b3:d5:c0:72:da:cd:
         f2:0b:91:72:03:d3:48:48:78:75:c8:95:1f:03:c7:10:4d:d1:
         60:c0:73:95:b9:9e:90:3d:f2:69:a6:9a:af:8b:95:dd:3f:18:
         c8:6a:ee:e1
-----BEGIN CERTIFICATE-----
MIIDKjCCAhICCQDeFrxjt4Rn7jANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJF
TjETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQK
DANLS0sxFDASBgNVBAMMCzE5Mi4xNjguMS44MB4XDTIwMDExMzE3NTI1OVoXDTMw
MDExMDE3NTI1OVowVzELMAkGA1UEBhMCRU4xEzARBgNVBAgMClNvbWUtU3RhdGUx
DzANBgNVBAcMBkxvbmRvbjEMMAoGA1UECgwDS0tLMRQwEgYDVQQDDAsxOTIuMTY4
LjEuODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALP5PJuGL5VsRW4t
mGnEOU4ixPfxtmbEWdP1u/v5PvyliwefL/YFJDNUO1A/lkBpQGiFsBxDZdA2cx/N
PgtqMv6VTUy+y+kERNFvq3naSCgGzwkgWwRp7GTIqT6e5NoSDQTaYzz4VcA63wBW
lffTfR7V3tlM/5i16ZhcWVQVtbUGSJlv2xoiH+Wa9PqesJ9rd3ukvEXtEOzQqHEv
d+C4FpvRm/dvItvxR45N5xjMdmv/aHYfOoDFFqlxzqIs+k/s8iF0p4JUaQe7DtnT
YCRLZ/q+9wITsZC4qobWhJNz7ma2RSmcmdBrZzAasM+vmVHtnWNf1lBJvPUkAmZI
Ly9Q5UcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbOjkjGbtTSznfwKNWa1SZIwR
gDj3NUKLputP03lbr6jMJJ3IHTG8icrLg3t3k0FzSseM2jjRGtwhmrbzD8SsbQMb
AMm1QN4yEtKxZn97Go/84xkka94xO17AB2y2nGcHFBlhWCvAG8+2yxBuJSyFZmFU
HiniJA8Uu6UhrJOS1i5Vr4Bd3qLOcNDX8xyfTwcFFXHHDMhetBuHZWgwJjzuAAUe
z+hBaxcxnKW+zRXpOQ6QkpftosX5HCGfat82U0uEoB/HmTa8FfoQhMknCs6d89Uo
s9XActrN8guRcgPTSEh4dciVHwPHEE3RYMBzlbmekD3yaaaar4uV3T8YyGru4Q==
-----END CERTIFICATE-----
...