# CA Private Key
openssl ecparam -name secp256r1 -genkey  -out ca.key.pem
# Request certificate
openssl req -x509 -new -nodes -key ca.key.pem -subj "/CN=CARoot" -days 3650 -out ca.cert.pem

# Server Private Key
openssl ecparam -name secp256r1 -genkey  -out server.key.pem
# Convert to pkcs8
openssl pkcs8 -topk8 -inform PEM -outform PEM -in server.key.pem -out server.key-pk8.pem -nocrypt
# Request certificate  
openssl req -new -config server.conf -key server.key.pem -out server.csr.pem -sha256
# Sign with CA
openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 3650 -extensions v3_ext -extfile server.conf -sha256

# Broker internal client Private Key
openssl ecparam -name secp256r1 -genkey  -out broker_client.key.pem
# Convert to pkcs8
openssl pkcs8 -topk8 -inform PEM -outform PEM -in broker_client.key.pem -out broker_client.key-pk8.pem -nocrypt
# Request certificate
openssl req -new -subj "/CN=broker_client" -key broker_client.key.pem -out broker_client.csr.pem -sha256
# Sign with CA
openssl x509 -req -in broker_client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out broker_client.cert.pem -days 3650 -sha256


# Client Private Key
openssl ecparam -name secp256r1 -genkey  -out client.key.pem
# Convert to pkcs8
openssl pkcs8 -topk8 -inform PEM -outform PEM -in client.key.pem -out client.key-pk8.pem -nocrypt
# Request certificate
openssl req -new -subj "/CN=client" -key client.key.pem -out client.csr.pem -sha256
# Sign with CA
openssl x509 -req -in client.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 3650 -sha256


