# private key
openssl genrsa -out ca.key 2048
# public certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
# server private key
openssl genrsa -out server.key 2048
# generate certificate signing request
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost"
# use public and private key of the ca to sign the cert signing request
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client"
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

openssl genrsa -out wrong_client.key 2048
openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k


# Allow nginx to connect to any network port for nginx to go through selinux
also turn off selinux permanently
sudo setsebool -P httpd_can_network_connect 1  
sudo mkdir -p /etc/nginx/certs
sudo cp /flask/v1/keys/* /etc/nginx/certs/
sudo chown -R nginx:nginx /etc/nginx/certs

# no yubikey verification
curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k  

# to activate hsm, move these over
cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
cp fullchain.crt /etc/nginx/certs/hsm_chain.crt
cp server.crt /etc/nginx/certs/hsm_server.crt
sudo pkcs11-tool -L  # for denk serial number


openssl version -d

edit the openssl.conf file
/etc/nginx/nginx.conf

then edit the nginx service file
Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf"

add under service
 systemctl daemon-reload
 sudo systemctl restart nginx


 openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt

 curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k


 sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login

tail -f /var/log/nginx/error.log  # to see ssl errors

/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
change all to yes then restart systemctl pcscd
if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs)



  https://www.redhat.com/en/blog/controlling-access-smart-cards


sudo curl -vvv  -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c



for now just do python3 flask1.py to run the flask app but can move to gunicorn