Well after i read your post i tried to sign the client certificates with the ca. I make some changes in the makefile but it think I made something wrong because it doesn't work:
old:
client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr server.crt server.key index.txt serial openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy client.vrfy: server.pem client.pem c_rehash . openssl verify -CApath . client.pem
new:
client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr ca.key ca.pem index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
At a glance, that should be ca password. Ivan Kalik