chenbojian/openssl-cert-chain.sh

## openssl-cert-chain.sh
#Generate CA Certificate


#Generate private Key

openssl genrsa -out CA.key 2048


#Generate CA CSR

openssl req -new -sha256 -key CA.key -out CA.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=CA CERTIFICATE"


#Generate CA Certificate (10 years)

openssl x509 -signkey CA.key -in CA.csr -req -days 3650 -out CA.pem

#Convert pfx
openssl pkcs12 -export -out CA.pfx -inkey CA.key -in CA.pem

#--------------------------------------------------------------------------------------


#Generate Intermediary CA Certificate


#Generate private Key

openssl genrsa -out CA_Intermediary.key 2048


#Create Intermediary CA CSR

openssl req -new -sha256 -key CA_Intermediary.key -out CA_Intermediary.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=CA INTERMEDIARY CERTIFICATE"


#Generate Server Certificate (10 years)

openssl x509 -req -in CA_Intermediary.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out CA_Intermediary.crt -days 3650 -sha256


#--------------------------------------------------------------------------------------


#Generate Server Certificate signed by CA


#Generate private Key

openssl genrsa -out ServerCert_signedByCA.key 2048


#Create Server CSR

openssl req -new -sha256 -key ServerCert_signedByCA.key -out ServerCert_signedByCA.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=axway.lab/subjectAltName=DNS.1=axway.lab,DNS.2=your-alt-name"


#Generate Server Certificate

openssl x509 -req -in ServerCert_signedByCA.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ServerCert_signedByCA.crt -days 3650 -sha256


#View Certificate

openssl x509 -text -noout -in ServerCert_signedByCA.crt


#--------------------------------------------------------------------------------------


#Generate Server Certificate signed by Intermediary CA


#Generate private Key

openssl genrsa -out ServerCert_signedByCAIntermediary.key 2048


#Create Server CSR

openssl req -new -sha256 -key ServerCert_signedByCAIntermediary.key -out ServerCert_signedByCAIntermediary.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=localhost/subjectAltName=DNS.1=axway.lab,DNS.2=your-alt-name"


#Generate Server Certificate

openssl x509 -req -in ServerCert_signedByCAIntermediary.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ServerCert_signedByCAIntermediary.crt -days 3650 -sha256


#View Certificate

openssl x509 -text -noout -in ServerCert_signedByCAIntermediary.crt


#--------------------------------------------------------------------------------------


#Generate Client Certificate signed by CA


#Generate private Key

openssl genrsa -out ClientCert_signedByCA.key 2048


#Create Client CSR

openssl req -new -sha256 -key ClientCert_signedByCA.key -out ClientCert_signedByCA.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=client"


#Generate Client Certificate

openssl x509 -req -in ClientCert_signedByCA.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ClientCert_signedByCA.crt -days 3650 -sha256


#View Certificate

openssl x509 -text -noout -in ClientCert_signedByCA.crt


#--------------------------------------------------------------------------------------


#Generate Client Certificate signed by Intermediary CA


#Generate private Key

openssl genrsa -out ClientCert_signedByCAIntermediary.key 2048


#Create Client CSR

openssl req -new -sha256 -key ClientCert_signedByCAIntermediary.key -out ClientCert_signedByCAIntermediary.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=clientCA_Intermediary"


#Generate Client Certificate

openssl x509 -req -in ClientCert_signedByCAIntermediary.csr -CA CA_Intermediary.crt -CAkey CA_Intermediary.key -CAcreateserial -out ClientCert_signedByCAIntermediary.crt -days 3650 -sha256


#View Certificate

openssl x509 -text -noout -in ClientCert_signedByCAIntermediary.crt


client_cert() {
  openssl genrsa -out ClientCert_signedByCA.key 2048
  openssl req -new -sha256 -key ClientCert_signedByCA.key -out ClientCert_signedByCA.csr -subj "/CN=$1"
  openssl x509 -req -in ClientCert_signedByCA.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ClientCert_signedByCA.crt -days 3650 -sha256

  openssl pkcs12 -export -out $1.pfx -inkey ClientCert_signedByCA.key -in ClientCert_signedByCA.crt -certfile CA.pem -passout pass:1234
}

## openssl-commands.md

      
    Raw
  

              openssl-commands.md
            
          
    convert to pkcs8 format. grpc-tls require this format.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in server.key -out server.pkcs8.key
	#Generate CA Certificate


	#Generate private Key

	openssl genrsa -out CA.key 2048



	#Generate CA CSR

	openssl req -new -sha256 -key CA.key -out CA.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=CA CERTIFICATE"



	#Generate CA Certificate (10 years)

	openssl x509 -signkey CA.key -in CA.csr -req -days 3650 -out CA.pem

	#Convert pfx
	openssl pkcs12 -export -out CA.pfx -inkey CA.key -in CA.pem

	#--------------------------------------------------------------------------------------



	#Generate Intermediary CA Certificate



	#Generate private Key

	openssl genrsa -out CA_Intermediary.key 2048



	#Create Intermediary CA CSR

	openssl req -new -sha256 -key CA_Intermediary.key -out CA_Intermediary.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=CA INTERMEDIARY CERTIFICATE"



	#Generate Server Certificate (10 years)

	openssl x509 -req -in CA_Intermediary.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out CA_Intermediary.crt -days 3650 -sha256



	#--------------------------------------------------------------------------------------



	#Generate Server Certificate signed by CA



	#Generate private Key

	openssl genrsa -out ServerCert_signedByCA.key 2048



	#Create Server CSR

	openssl req -new -sha256 -key ServerCert_signedByCA.key -out ServerCert_signedByCA.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=axway.lab/subjectAltName=DNS.1=axway.lab,DNS.2=your-alt-name"



	#Generate Server Certificate

	openssl x509 -req -in ServerCert_signedByCA.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ServerCert_signedByCA.crt -days 3650 -sha256



	#View Certificate

	openssl x509 -text -noout -in ServerCert_signedByCA.crt





	#--------------------------------------------------------------------------------------



	#Generate Server Certificate signed by Intermediary CA



	#Generate private Key

	openssl genrsa -out ServerCert_signedByCAIntermediary.key 2048



	#Create Server CSR

	openssl req -new -sha256 -key ServerCert_signedByCAIntermediary.key -out ServerCert_signedByCAIntermediary.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=localhost/subjectAltName=DNS.1=axway.lab,DNS.2=your-alt-name"



	#Generate Server Certificate

	openssl x509 -req -in ServerCert_signedByCAIntermediary.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ServerCert_signedByCAIntermediary.crt -days 3650 -sha256



	#View Certificate

	openssl x509 -text -noout -in ServerCert_signedByCAIntermediary.crt





	#--------------------------------------------------------------------------------------



	#Generate Client Certificate signed by CA



	#Generate private Key

	openssl genrsa -out ClientCert_signedByCA.key 2048



	#Create Client CSR

	openssl req -new -sha256 -key ClientCert_signedByCA.key -out ClientCert_signedByCA.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=client"



	#Generate Client Certificate

	openssl x509 -req -in ClientCert_signedByCA.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ClientCert_signedByCA.crt -days 3650 -sha256



	#View Certificate

	openssl x509 -text -noout -in ClientCert_signedByCA.crt









	#--------------------------------------------------------------------------------------



	#Generate Client Certificate signed by Intermediary CA



	#Generate private Key

	openssl genrsa -out ClientCert_signedByCAIntermediary.key 2048



	#Create Client CSR

	openssl req -new -sha256 -key ClientCert_signedByCAIntermediary.key -out ClientCert_signedByCAIntermediary.csr -subj "/C=BR/ST=SAO PAULO/L=SAO PAULO/O=AXWAY/CN=clientCA_Intermediary"



	#Generate Client Certificate

	openssl x509 -req -in ClientCert_signedByCAIntermediary.csr -CA CA_Intermediary.crt -CAkey CA_Intermediary.key -CAcreateserial -out ClientCert_signedByCAIntermediary.crt -days 3650 -sha256



	#View Certificate

	openssl x509 -text -noout -in ClientCert_signedByCAIntermediary.crt





	client_cert() {
	openssl genrsa -out ClientCert_signedByCA.key 2048
	openssl req -new -sha256 -key ClientCert_signedByCA.key -out ClientCert_signedByCA.csr -subj "/CN=$1"
	openssl x509 -req -in ClientCert_signedByCA.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out ClientCert_signedByCA.crt -days 3650 -sha256

	openssl pkcs12 -export -out $1.pfx -inkey ClientCert_signedByCA.key -in ClientCert_signedByCA.crt -certfile CA.pem -passout pass:1234
	}