Certifikat s heslem
---------------------------------------------------------------------------------------------------------------
mkdir ovpnCA
export SSLDIR=/root/ovpnCA
vi /etc/pki/tls/openssl.cnf  [zmeni se dir = /root/ovpnCA]
mkdir ${SSLDIR}/certs 
mkdir ${SSLDIR}/crl 
mkdir ${SSLDIR}/newcerts
mkdir ${SSLDIR}/private
echo "01" > ${SSLDIR}/serial
touch ${SSLDIR}/index.txt
openssl req -new -x509 -keyout ${SSLDIR}/private/cakey.pem -out ${SSLDIR}/private/cacert.pem  -config /etc/pki/tls/openssl.cnf -days 3650
openssl req -new -keyout cert1.key -out cert1.pem  -config /etc/pki/tls/openssl.cnf
cd ovpnCA/
ln -s private/cakey.pem ca.key
ln -s private/cacert.pem cacert.pem
cd ..
openssl ca -policy policy_anything -config /etc/pki/tls/openssl.cnf -infiles cert1.pem 

openssl dhparam -out dh1024.pem 1024
cp cert1.key /etc/openvpn/vpn.key
cp newcerts/01.pem /etc/openvpn/vpn1.pem
cp private/cacert.pem /etc/openvpn/
cp dh1024.pem /etc/openvpn/

---------------------------------------------------------------------------------------------------------------
certifikat bez hesla
---------------------------------------------------------------------------------------------------------------
mkdir demoCA
cd demoCA
mkdir certs
mkdir crl
mkdir newcerts
mkdir private
echo 01 >/etc/ssl/demoCA/serial

1) Certifikat certifikacni autority
openssl req -new -x509 -nodes -out cacert.pem -keyout cakey.pem -days 1098
mv cakey.pem private/
#dulezite je zadat common name 
#mame vytvoren certifikat certifikacni autority a ted mi nezbyva nic jineho, nez podepsat cizi certifikaty, nebo si muzem vytvorit certifikaty sami, ktere podepiseme a pak je clientum nainstalujeme. Kdo ma vlastni certifikat, nemusi pouzit vytvoreni, ale az nasledne podepsani.
openssl req -new -nodes -out nepodepsany.pem -keyout klient_klic.pem -days 1098
#tak a ted si jej podepisi
openssl ca -in nepodepsany.pem -out podepsany.pem
#nepodepsany.pem muzete s klidnym srdcem smazet, koncovka pem neni dulezita, muzete klidne pouzit crt nebo key (jak uvidite v howto a jinych navodech, key pouzivejte pro klice) #tento podepsany certifikat (samozrejme i s klicem k nemu) nejakym zpusobem dorucim k clientu, tedy pokud nema vlastni certifikat. Jeste poslete certifikat certifikacni autority (cacert.pem).

mv cacert.pem cacert_.pem
openssl dhparam -out dh1024.pem 1024
mv dh1024.pem dh1024_.pem
mv podepsany.pem cert1_.pem
mv klient_klic.pem cert1_.key