使用下面的命令生成了客户端证书
```
ipsec pki --pub \
--in test.key | \
ipsec pki --issue \
--cacert ../rootca/vpnca/vpnca.crt \
--cakey ../rootca/vpnca/vpnca.key \
--dn "C=CN, O=IKEv2 VPN TEST, CN=Test VPN Client" \
--san
my_server_domain.example.org \
--outform pem > test.crt
```
证书信息
```
$ openssl x509 -in test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5911216928624408369 (0x5208dc7a44eef731)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Root CA, C = CN, O = IKEv2 VPN TEST
Validity
Not Before: Mar 7 17:04:57 2017 GMT
Not After : Mar 6 17:04:57 2020 GMT
Subject: C = CN, O = IKEv2 VPN TEST, CN = Test VPN Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (8192 bit)
Modulus:
00:......:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:32:6A:60:CC:11:2E:7C:5F:B7:58:C2:8F:5F:6B:64:CB:69:AB:CD:8E
X509v3 Subject Alternative Name:
DNS:
my_server_domain.example.org Signature Algorithm: sha512WithRSAEncryption
64:......:53
```
服务端依然不接受这张证书