This script creates a CA using openssl on a mac. Creates a client certificate and signs it with the CA. Then creates the server certificate for the client.

Create CA and chained certificate

#!/bin/bash

#This script creates a ca and signs a client key and configures
# the database.

#Configure the Root CA
mkdir ca
cd ca
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null ./index.txt
#this is the mac path
#be sure ca_default dir is .
cp /opt/local/etc/openssl/openssl.cnf .

#generate the key
openssl genrsa -des3 -out private/cakey.pem 4096
#generate a self-signed cert
openssl req -new -x509 -nodes -sha1 -key private/cakey.pem -out cacert.pem


#We are now ready to make an intermediate CA
mkdir ca2012
cd ca2012
cp ../openssl.cnf .
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null ./index.txt
openssl genrsa -des3 -out private/cakey.pem 4096
openssl req -new -sha1 -key private/cakey.pem -out ca2012.csr

#move our new signing request to the root and sign it
mv ca2012.csr ..
cd ..
openssl ca -extensions v3_ca -out ca2012.crt -in ca2012.csr -config openssl.cnf
mv ca2012.* ca2012
cd ca2012
mv ca2012.crt ca2012.pem

#create our ca chain file
cat ca2012.pem > chain.cert
cat ../cacert.pem >> chain.cert

#edit the path of the ca_default dir in the ca2012 openssl.cnf file
# change the path from . to ..
vi openssl.cnf

#create our server certificate
openssl genrsa -des3 -out myServer.key 4096
openssl req -new -key myServer.key -out myServer.csr
openssl ca -config openssl.cnf -policy policy_anything -out myServer.crt -infiles myServer.csr
mkdir certs/myServer
mv myServer.key myServer.csr myServer.crt certs