Last active
March 5, 2024 12:15
-
-
Save QueuingKoala/e2c1c067a312384915b5 to your computer and use it in GitHub Desktop.
Sub-CA example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumptions: easyrsa3 available in current dir, and functional openssl. | |
| # This basic example puts the "offline" and "sub" PKI dirs on the same system. | |
| # A real-world setup would use different systems and transport the public components. | |
| # Build root CA: | |
| EASYRSA_PKI=offline ./easyrsa init-pki | |
| EASYRSA_PKI=offline ./easyrsa build-ca nopass | |
| # Build sub-CA request: | |
| EASYRSA_PKI=sub ./easyrsa init-pki | |
| EASYRSA_PKI=sub ./easyrsa build-ca nopass subca | |
| # Import the sub-CA request under the short-name "sub" on the offline PKI: | |
| EASYRSA_PKI=offline ./easyrsa import-req sub/reqs/ca.req sub | |
| # Then sign it as a CA: | |
| EASYRSA_PKI=offline ./easyrsa sign-req ca sub | |
| # Transport sub-CA cert to sub PKI: | |
| cp offline/issued/sub.crt sub/ca.crt | |
| # Generate and sign some requests on the sub-CA. | |
| # Real-world use should import a CSR from the actual clients. We don't for brevity here. | |
| EASYRSA_PKI=sub ./easyrsa gen-req server nopass | |
| EASYRSA_PKI=sub ./easyrsa gen-req client nopass | |
| EASYRSA_PKI=sub ./easyrsa sign-req server server | |
| EASYRSA_PKI=sub ./easyrsa sign-req client client | |
| # Finally, create "bundle" files for use at each entity (ie: server and client ends.) | |
| cat sub/issued/server.crt sub/ca.crt > server-bundle.crt | |
| cat sub/issued/client.crt sub/ca.crt > client-bundle.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment