create and sign cert for ssl server

Makefile

@@ -1,7 +1,10 @@
-all : gpgsm-params cert.der cert.pem cert.openssl-text key-cert.p12
+all : key.enc.pem gpgsm-params cert.der cert.pem cert.openssl-text
 
-subject-keygrip.hex :
-	openssl genrsa 2048 \
+key.enc.pem :
+	openssl genrsa -out "$@" -aes256 2048
+
+subject-keygrip.hex : key.enc.pem
+	openssl rsa -in "$<" \
 		| openssl pkcs12 -export -nocerts -passout pass: \
 		| gpgsm --import 2>&1 \
 		| grep -Po 'keygrip=\s*\K.*' | sed 's/ //g' >$@
@@ -10,7 +13,7 @@ gpgsm-params : gpgsm-params-template subject-keygrip.hex issuer-keygrip.hex expi
 	./prepare-gpgsm-params --template gpgsm-params-template \
 		--subject-keygrip "$(shell cat subject-keygrip.hex)" \
 		--issuer-keygrip "$(shell cat issuer-keygrip.hex)" \
-		--expiry-datetime "$(shell date --date="$(shell cat expiry-datetime)")" \
+		--expiry-datetime "$(shell date --iso-8601=seconds --date="$(shell cat expiry-datetime)")" \
 		> $@
 
 cert.der : gpgsm-params
@@ -22,14 +25,10 @@ cert.pem : cert.der
 cert.openssl-text : cert.pem
 	openssl x509 -in $^ -text -noout > $@
 
-key-cert.p12 : cert.der subject-keygrip.hex
-	gpgsm --import cert.der
-	gpgsm --out $@ --export-secret-key-p12 '&$(shell cat subject-keygrip.hex)'
-
 clean :
+	-shred key.enc.pem && rm key.enc.pem
 	-trash subject-keygrip.hex
 	-trash gpgsm-params
 	-trash cert.der
 	-trash cert.pem
 	-trash cert.openssl-text
-	-shred key-cert.p12 && rm key-cert.p12

expiry-datetime

@@ -1 +1 @@
-+1 month
++1 year

gpgsm-params-template

@@ -3,7 +3,8 @@ Key-Type: RSA
 Key-Grip: {subject-keygrip}
 Key-Usage: sign
 Serial: random
-Name-DN: CN=test client,C=AT
+Name-DN: CN=example.hammerle.me,C=AT
+Name-DNS: example.hammerle.me
 Hash-Algo: SHA256
 Issuer-DN: CN=Fabian Peter Hammerle,C=AT
 Not-After: {not-after}
@@ -14,11 +15,11 @@ Authority-Key-Id: {issuer-keygrip}
 #   CA:FALSE
 Extension: 2.5.29.19 c 3003010100
 # X509v3 Extended Key Usage:
-#   TLS Web Client Authentication
-Extension: 2.5.29.37 n 300A06082B06010505070302
+#   TLS Web Server Authentication, TLS Web Client Authentication
+Extension: 2.5.29.37 n 301406082B0601050507030106082B06010505070302
 # Netscape Cert Type:
-#   SSL Client
-Extension: 2.16.840.1.113730.1.1 n 03020780
+#   SSL Client, SSL Server
+Extension: 2.16.840.1.113730.1.1 n 030206C0
 # Netscape Comment:
-#   client authentication only
-Extension: 2.16.840.1.113730.1.13 n 161A636C69656E742061757468656E7469636174696F6E206F6E6C79
+#   for demonstration purposes only
+Extension: 2.16.840.1.113730.1.13 n 161F666F722064656D6F6E7374726174696F6E20707572706F736573206F6E6C79