Меняем кое-что в конфиге openssl для генерации сертификатов:
#/etc/ssl/openssl.cnf

[ CA_default ]

dir = . # Where everything is kept
certs = $dir/ssl.crt # Where the issued certs are kept
crl_dir = $dir/ssl.crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to "no" to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/ssl.crt # default place for new certs.

certificate = $dir/ssl.crt/t-cards-ca.crt # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/ssl.crl/t-cards.pem # The current CRL
private_key = $dir/ssl.key/t-cards-ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file


--------------------------------------------------------------
Геренерим корневой (CA) сертификат:
cd /etc/apache2/
mkdir ssl.key
mkdir ssl.crt
mkdir ssl.crl
mkdir ssl.csr

openssl req -config /etc/ssl/openssl.cnf -new -x509 -keyout ssl.key/t-cards-ca.key -out t-cards-ca.pem -days 3650 -subj /C=RU/ST=Moscow/L=Moscow/O=www.t-cards.ru/OU=www.t-cards.ru/CN=www.t-cards.ru
openssl rsa -in ssl.key/t-cards-ca.key -out ssl.key/t-cards-ca.key
openssl x509 -in t-cards-ca.pem -out ssl.crt/t-cards-ca.crt

touch index.txt
echo "01" > serial

Генерим сертификат сервера:
openssl req -config /etc/ssl/openssl.cnf -new -keyout ssl.key/t-cards.key -out ssl.csr/t-cards.csr -days 365 -subj /C=RU/ST=Moscow/L=Moscow/O=www.t-cards.ru/OU=www.t-cards.ru/CN=www.t-cards.ru
openssl rsa -in ssl.key/t-cards.key -out ssl.key/t-cards.key
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out ssl.crt/t-cards.pem -infiles ssl.csr/t-cards.csr

openssl x509 -in ssl.crt/t-cards.pem -out ssl.crt/t-cards.crt

openssl ca -gencrl -out ssl.crl/t-cards.pem

---------------------------------------------------------------
Правим конфиг апача:
#/etc/apache2/httpd.conf

Listen 0.0.0.0:443

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

NameVirtualHost *:443

<VirtualHost *:443>
ServerName www.t-cards.ru
#ServerAlias *.t-cards.ru
DocumentRoot "/home/ftp/www/gateway.tpay-msk/html"
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/t-cards.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/t-cards.key
SSLCACertificateFile /etc/apache2/ssl.crt/t-cards-ca.crt
SSLCARevocationFile /etc/apache2/ssl.crl/t-cards.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
#SetEnvIf User-Agent ".*MSIE.*" # nokeepalive ssl-unclean-shutdown # downgrade-1.0 force-response-1.0

<Directory "/home/ftp/www/gateway.tpay-msk/html">
Options -Indexes FollowSymLinks Includes
AllowOverride All
order allow,deny
allow from all
</Directory>
</VirtualHost>

#GOST

# CA
openssl req -x509 -nodes -newkey gost2012_256 -pkeyopt paramset:A -keyout kazna_ca.key -out kazna_ca.crt -subj "/CN=KAZNA CA" -days 3650

# CSR
openssl req -new -nodes -newkey gost2012_256 -pkeyopt paramset:C -keyout ksv.key -out ksv.csr -subj "/CN=Klimenko Sergey"

# CRT
openssl x509 -engine gost -req -in ksv.csr -CA kazna_ca.crt -CAkey kazna_ca.key -CAcreateserial -days 365 -out ksv.crt

# PFX
openssl pkcs12 -engine gost -export -in ksv.crt -inkey ksv.key -certfile kazna_ca.crt -keypbe gost89 -certpbe gost89 -macalg md_gost12_512 -out ksv.pfx -passout pass:******

Конвертация утилитой с сайта Крипто ПРО:

p12util.x64.exe -p12tocp -rdrfolder C:\ -contname KSV -sg -passp12 ****** -infile ksv.pfx