Scripts+Configs/OpenSSL/Linux/openssl.cnf

#

             ##::[[---  Linux OpenSSL Config  ---]]::##

#====================================================================
                       ##----- Notes -----##
#====================================================================

  # All commands required can be found beginning on line 430

  # Windows users: https://github.com/JW0914/Wikis/blob/master/Scripts+Configs/OpenSSL/openssl.cnf


  # Sophos users:

    # If not using SANs, prior to generating user certs, ensure 'x509_extensions = usr_cert_not_dn'
      # This results with 'RFC822 Name = user@email.com' in the SubjectAlternativeName of the certificate.
        # Without this, it will be impossible to authenticate to VPNs on Sophos.

    # Intermediate CAs & Intermediate CA client certs CANNOT be utilized on Sophos UTM due to how Sophos authenticates.
      # Only exception is the WebAdmin certificate, which can be signed by a Public ICA authority for a FQDN.
        # For chain of trust to be maintained, CA & ICA must be installed on devices accessing the WebAdmin/User Portal.


#====================================================================
             ##----- Establish Build Variables -----##
#====================================================================

dir                             = /etc/ssl
cnf                             = /etc/ssl/openssl.cnf
CNF                             = $dir/openssl.cnf


#====================================================================
           ##----- Establish CA Profile and Policy -----##
#====================================================================

[ default ]
UTM                             = "Sophos UTM CA"
WRT                             = "Router 2 ICA"
VPN                             = "Router 2 VPN ICA"

[ ca ]
default_ca                      = CA_default


#====================================================================

[ CA_default ]
certs                           = $dir
new_certs_dir                   = $dir

database                        = $dir/index
RANDFILE                        = $dir/rand
serial                          = $dir/serial

crldir                          = $dir/crl
crlnumber                       = $crldir/crlnumber
crl                             = $crldir/ca.crl.pem
default_crl_days                = 3650

certificate                     = "$dir/ca/$UTM.crt.pem"
private_key                     = "$dir/ca/$UTM.key.pem"

default_days                    = 3650
preserve                        = no
default_md                      = sha512

x509_extensions                 = usr_cert_not_dn
copy_extensions                 = copy
unique_subject                  = yes

policy                          = policy_match
name_opt                        = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
cert_opt                        = ca_default


#====================================================================

[ policy_match ]
countryName                     = match
stateOrProvinceName             = match
organizationName                = match
organizationalUnitName          = match
commonName                      = supplied
emailAddress                    = optional

[ policy_supply ]
countryName                     = match
stateOrProvinceName             = match
organizationName                = match
organizationalUnitName          = match
commonName                      = optional
emailAddress                    = optional


#====================================================================
            ##----- Establish Certificate Options -----#
#--------------------------------------------------------------------

    # x64 machines always process SHA512 faster than SHA256.

    # 'encrypt_key = yes' is not currently commented out.
      # When creating a key for a server, add '-nodes' to the Request command.


[ req ]
default_bits                    = 2048
default_keyfile                 = private.key.pem

preserve                        = no
default_md                      = sha512

string_mask                     = utf8only
utf8                            = yes
distinguished_name              = req_distinguished_name
attributes                      = req_attributes
req_extensions                  = v3_req
x509_extensions                 = v3_ca
copy_extensions                 = copy
encrypt_key                     = yes

[ req_attributes ]
challengePassword               =
challengePassword_min           = 12
challengePassword_max           = 40


#====================================================================

[ req_distinguished_name ]

countryName                     = Country
countryName_max                 = 2
stateOrProvinceName             = State
localityName                    = Locality
0.organizationName              = Organization
organizationalUnitName          = Organizational Unit
commonName                      = Common Name
commonName_max                  = 64
emailAddres                     = Email
emailAddress_max                = 64

countryName_default             = xx
stateOrProvinceName_default     = State
localityName_default            = Locality
0.organizationName_default      = Sophos UTM
organizationalUnitName_default  = LAN


#====================================================================
      ##----- Establish SubjectAltName (SAN) Profiles -----##
#====================================================================

  # All server certs with WebUIs should have their loopback IP specified in their SAN profile.
    # This prevents certificate errors if connecting to the device, router, or server via an SSH tunnel.
      # Certain OS CA certs must have the loopback IP specified in SAN profile (i.e. Sophos UTM's CA).

  # Provided SAN profiles are utilized, Common Names can be whatever one wishes (i.e. not the DNS or IP)
    # SANs can be: 'email' (email address), 'URI' (Uniform Resource Indicator), 'DNS' (DNS domain name),
    # 'RID' (Registered ID: OBJECT IDENTIFIER), 'IP' (IP address), 'dirName' (Distinguished Name), and 'otherName'.


#--------------------------------------------------------------------
               ##----- Certificate Authorities -----##
#--------------------------------------------------------------------

# Main #
  [ alt_ca_main ]
  DNS.1                 = Router.1
  IP.1                  = 127.0.0.1

# Router 2 #
  [ alt_ica_router2 ]
  DNS.1                 = Router.2
  IP.1                  = 127.0.0.1

# Code Signing #
  [ alt_signing_ica ]
  DNS.1                 = Code-Signing

#--------------------------------------------------------------------
            ##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Main #

  # Servers #
    [ alt_sophos ]
    IP.1                = 192.168.2.1
    IP.2                = 127.0.0.1
    DNS.1               = UTM.WRT
    DNS.2               = your.ddns.com

    [ alt_truenas ]
    IP.1                = 192.168.2.13
    IP.2                = 192.168.2.130
    IP.3                = 127.0.0.1
    DNS.1               = TrueNAS.WRT
    DNS.2               = your-fqdn.com

    [ alt_vpn_server1 ]
    IP.1                = 10.0.0.1
    DNS.1               = your.ddns.com

  # Clients #
    [ alt_vpn1_user1 ]
    email.1             = user@email.com
    DNS.1               = VPN1-Client1-Device1
    DNS.2               = VPN1-Client1-Device2


#--------------------------------------------------------------------
     ##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Router 2 #

  # Servers #
    [ alt_openwrt ]
    IP.1                = 192.168.2.2
    IP.2                = 127.0.0.1
    DNS.1               = LAN.WRT

    [ alt_vpn_server2 ]
    IP.1                = 10.0.1.1
    DNS.1               = your.ddns.com

  # Clients #
    [ alt_vpn2_user1 ]
    DNS.1               = VPN2-Client1-Device1
    email.1             = user@email.com

    [ alt_vpn2_user2 ]
    DNS.1               = VPN2-Client2-Device1
    DNS.2               = VPN2-Client2-Device2
    email.1             = user@email.com


# Code Signing #

  # Cert1 #
    [ alt_codesign ]
    email.1             = user@email.com


#====================================================================
     ##----- Establish Certificate Authority V3 Profiles -----##
#--------------------------------------------------------------------

  # These V3 CA profiles must not be modified to contain any more, or any less, KUs.

  # These have been configured specifically for security & its imperative no other keyUsages are set
    # For an ICA to be capable of signing CAs/ICAs, 'pathlen' number must mirror number of CAs/ICAs it can sign

  # By default, all ICAs 'pathlen' values are set to 0, meaning they can sign certs, but not other CAs/ICAs.
    # If 'pathlen' is not specified, CA/ICA can sign an infinite number of other CAs/ICAs.


[ v3_ca ]
basicConstraints            = critical, CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = @alt_ca_main
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign

[ v3_ica_router2 ]
basicConstraints            = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = @alt_ica_router2
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign

[ v3_signing_ica ]
basicConstraints            = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign
subjectAltName              = @alt_signing_ica

[ crl_ext ]
issuerAltName               = issuer:copy
authorityKeyIdentifier      = keyid:always, issuer:always


#====================================================================
    ##----- Establish Generalized V3 Certificate Profiles -----##
#--------------------------------------------------------------------

[ v3_req ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash

[ usr_cert_dn ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage            = critical, clientAuth, emailProtection

[ usr_cert_not_dn ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = email:copy
keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage            = critical, clientAuth, emailProtection


#====================================================================
      ##----- Establish Client Certificate V3 Profiles -----##
#--------------------------------------------------------------------

  # These V3 profiles should not be modified to contain less than what they are currently configured with.
    # These have been specifically configured with security in mind.

  # All servers capable of TLS should contain all keyUsages, except for 'dataEncipherment'
    # VPN and file servers should not have less than: 'digitalSignature, keyEncipherment, keyAgreement'

  # All servers must contain EKU 'serverAuth'
    # All server [VPN] clients must contain EKU 'clientAuth'


#--------------------------------------------------------------------
            ##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Main #

  # Servers #
    [ v3_sophos ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_sophos

    [ v3_truenas ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_truenas

    [ v3_vpn_server1 ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_vpn_server1

  # Clients #
    [ v3_vpn1_user1 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn1_user1


#--------------------------------------------------------------------
      ##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Router 2 #

  # Servers #
    [ v3_openwrt ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_openwrt

    [ v3_vpn_server2 ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_vpn_server2

  # Clients #
    [ v3_vpn2_user1 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn2_user1

    [ v3_vpn2_user2 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn2_user2


# Code Signing #

  # Certificates #
    [ v3_codesign ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature
    extendedKeyUsage            = critical, codeSigning, msCodeInd, msCodeCom, msCTLSign, timeStamping
    subjectAltName              = @alt_codesign


#====================================================================
#--------------------------------------------------------------------
                  ##----- OpenSSL Commands -----##
#--------------------------------------------------------------------
#====================================================================

  # Prerequisistes:

    # Create "serial" file:
      ## echo 00 > serial
         # This file maintains the serial for the most recent cert, in order to know what serial to next assign.
         # Serial is in hex, not dec[imal] format, & one can choose whichever number one wishes to start at.

    # Create "crlnumber" file:
      ## mkdir crl && echo 01 > crl\crlnumber
         # This file maintains the current serial for the CRL [Certificate Revocation List] certificate
         # A CRL should be generated, but will not be used until one revokes a certificate via one's CA or ICA

    # Create "index" file (leave blank):
      ## echo > index
         # This file maintains an index of all certificates issued and is covered under the Index Section below
         # Maintains a record of all certs issued, and is extremely important if one has revoked a certificate.

    # Create "rand" file (leave blank):
      ## echo > rand
         # File is utilized by for random characters & is querried by openssl during certificate/key creation.


  # 'encrypt_key = yes' [Establish Certificate Options] is not currently commented out
    # Server keys must not be created with encryption, adding this additional command option to key creation: -nodes

      # Encrypting a server key will result in the server requiring the key passphrase every time it's started/restarted;
      # in other words, a massive inconvenience, and potentially destrimental.


  # Provided you utilize the SubjectAltName (SAN) section [highly recommended], the Common Name [CN] can be
  # whatever name you want it to be, and is not required to be the IP/DNS/FQDN.


#====================================================================
#--------------------------------------------------------------------
#====================================================================

  # For VPN Server certs:
    # When creating a VPN server cert using 'extendedKeyUsage = serverAuth', in your VPN client config you must
    # change "remote-cert-tls server" to "remote-cert-eku 'TLS Web Server Authentication'" ( see https://www.v13.gr/blog/?p=386 )

  # For BSD/*nix OSes:
    # Certificates should have 644 permissions
      ## chmod 644 ./certificate.crt.pem

    # Keys must have 600 or 400 permissions
      ## chmod 600 ./certificate.key


#--------------------------------------------------------------------
               ## ----- Certificate Authority ----- ##
#--------------------------------------------------------------------

  # Generate CA:

      # CA key should have a secure passphrase of at least 20 characters, containing at least:
        # 2 uppercase letters, 2 lowercase letters, 2 numbers, and 2 symbols


    # Request:
      ## openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout CA.key.pem -out CA.crt.pem -config .\openssl.cnf -extensions v3_ca

    # Generate CA CRL Cert:
      ## openssl ca -gencrl -keyfile CA.key.pem -cert CA.crt.pem -out CA.crl.pem -config .\openssl.cnf

    # Convert CA CRL Cert to DER CRL:
      ## openssl crl -inform PEM -in '.\CA.crl.pem' -outform DER -out '.\CA.crl'


#--------------------------------------------------------------------
        ## ----- Intermediate Certificate Authority ----- ##
#--------------------------------------------------------------------

  # Gernerate Intermediate CA:

    # Intermediate CA key should have a secure passphrase of at least 20 characters, containing at least:
      # 2 uppercase letters, 2 lowercase letters, 2 numbers, and 2 symbols


    # Request:
      ## openssl req -out '.\ICA.csr' -new -days 3650 -sha512 -newkey rsa:4096 -keyout ICA.key -config .\openssl.cnf -extensions v3_intermediate_ca

    # Sign Intermediate CA with CA:
      ## openssl x509 -req -sha512 -days 3650 -in '.\ICA.csr' -CA CA.crt.pem -CAkey CA.key -CAserial .\serial -out ICA.crt.pem -extfile .\openssl.cnf -extensions v3_intermediate_ca

    # Generate Intermediate CA CRL Cert:
      ## openssl ca -config .\openssl.cnf -gencrl -keyfile ICA.key -cert ICA.crt.pem -out '.\ICA.crl.pem'

    # Convert Intermediate CA CRL Cert to DER CRL:
      ## openssl crl -inform PEM -in '.\ICA.crl.pem' -outform DER -out '.\ICA.crl'

#--------------------------------------------------------------------

  # Create Concatenated CA - Intermediate CA Certificate Chain:

    # Windows:
      ## cmd /c type '.\ICA.crt.pem' '.\CA.crt.pem' > '.\CA-ICA-Chain.pem'

    # Linux/BSD:
      ## cat './ICA.crt.pem' './CA.crt.pem' > './CA-ICA-Chain.pem'

#--------------------------------------------------------------------

  # Export VPN Client with an Intermediate CA:
    ## openssl pkcs12 -export -out '.\user1.p12' -inkey '.\user1.key.pem' -in '.\user1.crt.pem' -certfile '.\CA-ICA-Chain.crt.pem'

    # The Intermediate CA is still used to sign the certs it issues, however, the CA - Intermediate CA chain cert must
    # be exported with the client cert & key to maintain the chain of trust of: Certificate -> Intermediate CA -> CA
      # The certificate path of the client cert should show a hierarchy of: CA -> Intermediate CA -> Client


#--------------------------------------------------------------------
                ## ----- Client Certificate ----- ##
#--------------------------------------------------------------------

    # For Server certs, add to the end of the Request command:  -nodes
      # If a server cert is created with an encrypted key, one will need to manually type in the encryption passphrase
      # whenever starting or restarting the server (inconvenient and impractical for VPN and Web Servers).


  # Request:
    ## openssl req -out '.\user1.csr' -new -days 3650 -sha512 -newkey rsa:2048 -keyout '.\user1.key.pem' -config .\openssl.cnf -extensions v3_vpn1_user1

    # With multiple common names:
      ## openssl req -out '.\user1.csr' -new -days 3650 -sha512 -newkey rsa:2048 \
      ##   -subj '/C=US/ST=ST/L=Locality/O=Sophos UTM/OU=LAN/CN=UserName/CN=User.Name/CN=User_Name/emailAddress=name@email.com' \
      ##   -keyout '.\user1.key.pem' -config .\openssl.cnf -extensions v3_vpn1_user1

  # Sign:
    # openssl x509 -req -sha512 -days 3650 -in '.\user1.csr' -CA '.\CA-ICA.crt.pem' -CAkey '.\CA-ICA.key.pem' -CAserial .\serial -out '.\crt\user1.crt.pem' -extfile .\openssl.cnf -extensions v3_vpn1_user1

  # Export:
    # openssl pkcs12 -export -out '.\user1.p12' -inkey '.\user1.key.pem' -in '.\user1.crt.pem' -certfile CA-ICA.crt.pem


#--------------------------------------------------------------------
            ## ----- Verification of Certificates ----- ##
#--------------------------------------------------------------------

  # Verify Certificate Signing Request (CSR):
    ## openssl req -text -noout -verify -in certificate.csr

  # Verify Private Key:
    ## openssl rsa -check -in certificate.key

  # Verify Certificate:
    ## openssl x509 -text -noout -in certificate.crt

  # Verify PKCS12 Certificate [.pfx/.p12]:
    ## openssl pkcs12 -info -in certificate.p12


#--------------------------------------------------------------------
    ## ----- Intermediate CA Android Build Certificates ----- ##
#--------------------------------------------------------------------

    # This will apply to the following six certificates: 'media', 'platform', 'releasekeys', 'shared', 'superuser', 'testkey'
      # The following steps will need to be repeated for each of the six


  # Generate Individual intermediate Build CA Request:
    ## openssl req -out '.\media.csr' -new -days 3650 -sha512 -config .\openssl.cnf -extensions v3_intermediate_ca -newkey rsa:4096f4 -ouform PEM -keyout '.\media.key.pem'

  # Convert PEM key to PK8:
    ## openssl pkcs8 -in media.key.pem -topk8 -outform DER -out media.pk8 -nocrypt

  # Sign Individual intermediate Build CA Request:
    ## openssl x509 -req -sha512 -days 3650 -in '.\media.csr' -CA CA.crt.pem -CAkey CA.key -CAserial .\serial -out '.\media.x509.pem' -extfile .\openssl.cnf -extensions v3_intermediate_ca

  # Generate Individual intermediate Build CA CRL Cert:
    ## openssl ca -config .\openssl.cnf -gencrl -keyfile '.\media.key.pem' -cert '.\media.x509.pem' -out '.\media.crl.pem' -extfile '.\openssl.cnf' -extensions crl_ext

  # Convert Individual intermediate Build CA CRL Cert to DER crl:
    ## openssl crl -inform PEM -in '.\media.crl.pem' -outform DER -out '.\media.crl'

#--------------------------------------------------------------------

  # Concatenated Intermediate Build CA - CA PEM Certificate:

    # Windows:
      ## cmd /c type 'media.x509.pem' 'CA.crt.pem' > 'Media-CA-Chain.pem'

    # Linux/BSD:
      ## cat './media.x509.pem' './CA.crt.pem' > './Media-CA-Chain.pem'

#--------------------------------------------------------------------

  # Create PKCS12 for Import into Keystore:
    ## openssl pkcs12 -export -out .\media.p12 -inkey .\media.key.pem -in .\media.x509.pem  -certfile '.\Media-CA-Chain.pem' -password pass:media -name media

    # The Intermediate CA is still used to sign packages/images, however, the CA - Intermediate CA chain cert
    # must be exported with the client cert & key to maintain the certificate chain of trust of: Package/Image -> Intermediate CA -> CA

      # Copy the following files into your build directory (location will vary depending on ROM):

        # For each of the six: *.x509.pem, *.pk8, Android-*-CA-Chain.pem, *.p12
          # i.e. "media.x509.pem", "media.pk8", "Android-Media-CA-Chain.pem", "media.p12"


    # One example of how to import into keystore prior to build:
      # Source: https://stackoverflow.com/questions/22212869/how-can-i-generate-an-android-keystore-from-a-key-pk8-and-certificate-pem

        ## keytool -importkeystore -deststorepass password -destkeystore .keystore -srckeystore media.p12 -srcstoretype PKCS12 -srcstorepass media
        ## keytool -list -v -keystore .keystore


#====================================================================
                      ##---- Index File -----##
#--------------------------------------------------------------------

  # If you wish to maintain the index file automatically, you'll need to use 'openssl ca' to sign certs.
  # You can manually maintain the index file, by inputting 1 cert entry per line in the following format:

    # V   261231235959Z         0a  unknown   /C=US/ST=State/L=Locality/O=Org/OU=Unit/CN=Common Name/emailaddress=e@mail.com
    # 1   2----------->   3->   4>  5----->   6---------------------------------------------------------------------------->


      # 1. Status of Certificate:
           # 'V' [Valid] 'R' [Revoked] 'E' [Expired]

      # 2. Expiration Date:
           # Format: YYMMDDHHMMSS followed by 'Z': 2026.12.31 @ 23:59:59

      # 3. Revocation Date [Format: 'YYMMDDHHMMSSZ,reason']
           # Certain distros error out without a whitespace for 3 in the index file
           # Empty if not revoked, otherwise valid reasons are:
             # 'keyCompromise'
             # 'CACompromise'
             # 'affiliationChanged'
             # 'superseded'
             # 'cessationOfOperation'
             # 'certificateHold'
             # 'privilegeWithdrawn'
             # 'AACompromise'

      # 4. Serial number in hex format: '0a' is hex for 10

           # Windows:
             # Calculator has programmer feature which converts dec <-> hex

           # Linux/BSD:
             # cli hex -> dec [returns 10]:
               ## printf '%d\n' 0x0a

             # cli dec -> hex [returns 0a]:
               ## printf '%x\n' 10

      # 5. Certificate Filename or Literal String
           # Certificate filename or literal string 'unknown'

      # 6. Distinguished Name


#====================================================================
                      ##----- Key Usage -----##
#--------------------------------------------------------------------

    # !!!  CA / ICA ONLY  !!! #
#--------------------------------------------------------------------

  # These extensions MUST ONLY be used for CA / ICA certificates

    # 'cRLSign':
      # Is asserted when subject public key is used for verifying signatures on certificate revocation lists.

    # 'keyCertSign':
      # Is asserted when subject public key is used for verifying signatures on public key certificates.
        # If 'keyCertSign' is asserted, the CA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.


    # All #
#--------------------------------------------------------------------

  # 'digitalSignature':
    # Certificates with this flag set can be used to apply a digital signature. Digital signatures are often used for entity
    # authentication and data origin authentication with integrity.
      # Is asserted when subject public key is used for verifying digital signatures, other than signatures on certificates
      # (bit 5) and CRLs (bit 6).

  # 'nonRepudiation':
    # Certificates with this flag set can be used to sign data as above but the certificate public key may be used to provide
    # non-repudiation services preventing the signing entity from falsely denying some action.
      # Is asserted when subject public key is used to verify digital signatures, other than signatures on certificates (bit 5)
      # and CRLs (bit 6).
        # NOTE: Recent editions of X.509 have renamed the 'nonRepudiation' bit to 'contentCommitment'.

  # 'keyEncipherment':
    # Certificates with this flag set may be used by the subject to encrypt a symmetric key which is then transferred to the
    # target, decrypted, and subsequently used to encrypt and decrypt data sent between the two entities.
      # Is asserted when subject public key is used for enciphering private or secret keys when an RSA public key is to be
      # used for encrypting a symmetric content-decryption key or an asymmetric private key.

  # 'dataEncipherment':
    # Certificates with this flag set can be used by the subject to encrypt and decrypt actual application data.
      # Is asserted when subject public key is used for directly enciphering raw user data without the use of an intermediate
      # symmetric cipher.
        # NOTE: Use of this bit extremely uncommon; all applications use key transport / key agreement to establish a symmetric key.

  # 'keyAgreement':
    # Certificates with this flag set enable the subject to use a key agreement protocol, such as Diffie-Hellman, to establish
    # a symmetric key with a target that may then be used to encrypt and decrypt data sent between the two entities
      # Is asserted when subject public key is used for key agreement (i.e. when a Diffie-Hellman key is used for key management).

  # 'encipherOnly':
    # Undefined in the absence of the 'keyAgreement' bit (KU 'keyAgreement' is required).
      # Public key used only for enciphering data while performing key agreement.
        # When 'encipherOnly' is asserted AND 'keyAgreement' also set, subject public key may be used ONLY for enciphering data while
        # performing key agreement.

  # 'decipherOnly':
    # Undefined in the absence of the 'keyAgreement' bit (KU 'keyAgreement' is required).
      # Public key used only for deciphering data while performing key agreement.
        # When 'decipherOnly' is asserted AND 'keyAgreement' is also set, subject public key may be used ONLY for deciphering data
        # while performing key agreement.


#--------------------------------------------------------------------
                  ##----- RFC 5280 4.2.1.3 -----##
#--------------------------------------------------------------------

    # https://tools.ietf.org/html/rfc5280

  # id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

    # KeyUsage ::= BIT STRING {
      # digitalSignature        (0),

      # nonRepudiation          (1),
        # NOTE: Recent editions of X.509 have renamed this bit to contentCommitment

      # keyEncipherment         (2),
      # dataEncipherment        (3),
      # keyAgreement            (4),
      # keyCertSign             (5),
      # cRLSign                 (6),
      # encipherOnly            (7),
      # decipherOnly            (8) }


#====================================================================
                  ##----- Extended Key Usage -----##
#--------------------------------------------------------------------

  # 'serverAuth':
    # KU Required: digitalSignature, keyEncipherment or keyAgreement
      # All VPN servers should be signed with this EKU present
        # SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against
        # This supersedes nscertype options (ns in nscertype stands for NetScape [browser])

  # 'clientAuth':
    # KU Required: digitalSignature and/or keyAgreement
      # All VPN clients must be signed with this EKU present
        # SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only

  # 'codeSigning':
    # KU Required: digitalSignature, nonRepudiation, and/or  keyEncipherment or keyAgreement
      # Code Signing... self explanatory

  # 'emailProtection':
    # KU Required: digitalSignature, keyEncipherment or keyAgreement
      # Email Protection via S/MIME, allows you to send and receive encrypted emails

  # 'timeStamping':
    # KU Required: digitalSignature, nonRepudiation
      # Trusted Timestamping... self explanatory

  # 'OCSPSigning':
    # KU Required: digitalSignature, nonRepudiation
      # OCSP Signing... self explanatory

  # 'msCodeInd':
    # KU Required: digitalSignature, keyEncipherment or keyAgreement
      # Microsoft Individual Code Signing (authenticode)... self explanatory

  # 'msCodeCom'
    # KU Required: digitalSignature, keyEncipherment or keyAgreement
      # Microsoft Commerical Code Signing (authenticode)... self explanatory

  # 'mcCTLSign':
    # KU Required: digitalSignature, nonRepudiation
      # Microsoft Trust List Signing... self explanatory

  # 'msEFS':
    # KU Required: digitalSignature, keyEncipherment or keyAgreement
      # Microsoft Encrypted File System... self explanatory


  # !!! SHOULD NOT BE UTILIZED !!!

    # 'ipsecEndSystem', 'ipsecTunnel', 'ipsecUser'
      # Assigned in 1999, the semantics of these values were never clearly defined
      # RFC 4945: The use of these three EKU values is obsolete and explicitly deprecated by this specification [5.1.3.12]

    # 'ipsecIKE'
      # IPSec Internet Key Exchange
        # I believe this is in the same boat as the three above
        # Research needs to be performed to determine if this EKU should also no longer be utilized
      # 'clientAuth' can be utilized in an IPSec VPN client cert


#--------------------------------------------------------------------
                 ##----- RFC 5280 4.2.1.12 -----##
#--------------------------------------------------------------------

  # See: https://tools.ietf.org/html/rfc5280

  # anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }

    # id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }

      # id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
        # TLS WWW server authentication:
          # Key usage bits that may be consistent:
            # digitalSignature, keyEncipherment or keyAgreement

      # id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
        # TLS WWW client authentication:
          # Key usage bits that may be consistent:
            # digitalSignature and/or keyAgreement

      # id-kp-codeSigning             OBJECT IDENTIFIER ::= { id-kp 3 }
        # Signing of downloadable executable code
          # Key usage bits that may be consistent:
            # digitalSignature

      # id-kp-emailProtection         OBJECT IDENTIFIER ::= { id-kp 4 }
        # Email protection:
          # Key usage bits that may be consistent:
            # digitalSignature, nonRepudiation, and/or (keyEncipherment or keyAgreement)

      # id-kp-timeStamping            OBJECT IDENTIFIER ::= { id-kp 8 }
        # Binding the hash of an object to a time
          # Key usage bits that may be consistent:
            # digitalSignature and/or nonRepudiation

      # id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
        # Signing OCSP responses:
          # Key usage bits that may be consistent:
            # digitalSignature and/or nonRepudiation


#====================================================================
              ##----- Key Exchange Algorithms  -----##
#--------------------------------------------------------------------

  # RSA:
    # Key exchange occurs via encryption of a random value, chosen by the client, via the server public key.
      # Server public key must be an RSA key
      # Server certificate must utilize KU keyAgreement

  # DH_RSA:
    # Key exchange occurs via a static Diffie-Hellman key.
      # Server Public Key must be a Diffie-Hellman key
      # Diffie-Hellman key must have been issued by a CA
      # CA must be using an RSA key signing key

  # DH_DSA:
    # Like DH_RSA, except that the CA used a DSA key in lieu of RSA.

  # DHE_RSA:
    # Key exchange occurs via an ephemeral Diffie-Hellman
      # Server dynamically generates & signs a DH public key, sending it to the client.
      # Server Public Key must be an RSA key
      # Server certificate must utilize KU digitalSignature

  # DHE_DSA:
    # Like DHE_RSA, except that the CA used a DSA key in lieu of RSA.


#====================================================================
        ##----- Elliptic-Curve Key Exchange Algorithms -----##
#--------------------------------------------------------------------

  # ECDH_ECDSA:
    # Like DH_DSA, but with elliptic curves
      # Server public key must be an ECDH key
      # Server certificate must be issued by a CA utilizing an ECDSA public key

  # ECDH_RSA:
    # Like ECDH_ECDSA, except that the CA used an RSA key

  # ECDHE_ECDSA:
    # Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
      # Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature

  # ECDHE_RSA:
    # Like ECDHE_ECDSA, except Server public key is an RSA key
      # Server public key signs the ephemeral EC Diffie-Hellman key

#--------------------------------------------------------------------
#====================================================================