jarz/intermediate.openssl.cnf

## intermediate.openssl.cnf
[ ca ]                           # The default CA section
default_ca = CA_default          # The default CA name

[ CA_default ]                                           # Default settings for the intermediate CA
dir               = certificate-authorities/intermediate # Intermediate CA directory
certs             = $dir/certs                           # Certificates directory
crl_dir           = $dir/crl                             # CRL directory
new_certs_dir     = $dir/newcerts                        # New certificates directory
database          = $dir/index.txt                       # Certificate index file
serial            = $dir/serial                          # Serial number file
RANDFILE          = $dir/private/.rand                   # Random number file
private_key       = $dir/private/intermediate.key.pem    # Intermediate CA private key
certificate       = $dir/certs/intermediate.cert.pem     # Intermediate CA certificate
crl               = $dir/crl/intermediate.crl.pem        # Intermediate CA CRL
crlnumber         = $dir/crlnumber                       # Intermediate CA CRL number
crl_extensions    = crl_ext                              # CRL extensions
default_crl_days  = 30                                   # Default CRL validity days
default_md        = sha256                               # Default message digest
preserve          = no                                   # Preserve existing extensions
email_in_dn       = no                                   # Exclude email from the DN
name_opt          = ca_default                           # Formatting options for names
cert_opt          = ca_default                           # Certificate output options
policy            = policy_loose                         # Certificate policy

[ policy_loose ]                                         # Policy for less strict validation
countryName             = optional                       # Country is optional
stateOrProvinceName     = optional                       # State or province is optional
localityName            = optional                       # Locality is optional
organizationName        = optional                       # Organization is optional
organizationalUnitName  = optional                       # Organizational unit is optional
commonName              = supplied                       # Must provide a common name
emailAddress            = optional                       # Email address is optional

[ req ]                                                  # Request settings
default_bits        = 2048                               # Default key size
distinguished_name  = req_distinguished_name             # Default DN template
string_mask         = utf8only                           # UTF-8 encoding
default_md          = sha256                             # Default message digest
x509_extensions     = v3_intermediate_ca                 # Extensions for intermediate CA certificate
prompt              = no

[ req_distinguished_name ]                               # Template for the DN in the CSR
countryName             = FR
stateOrProvinceName     = Ile-de-France
localityName            = Paris
0.organizationName      = Contoso Corporation
organizationalUnitName  = IT Department
commonName              = Contoso Corporation Intermediate CA
emailAddress            = admin@contoso.com

[ v3_intermediate_ca ]                                      # Intermediate CA certificate extensions
subjectKeyIdentifier = hash                                 # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer                # Authority key identifier
basicConstraints = critical, CA:true, pathlen:0             # Basic constraints for a CA
keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA

[ crl_ext ]                                                 # CRL extensions
authorityKeyIdentifier=keyid:always                         # Authority key identifier

[ server_cert ]                                             # Server certificate extensions
basicConstraints = CA:FALSE                                 # Not a CA certificate
nsCertType = server                                         # Server certificate type
keyUsage = critical, digitalSignature, keyEncipherment      # Key usage for a server cert
extendedKeyUsage = serverAuth                               # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
authorityKeyIdentifier = keyid,issuer                       # Authority key identifier linking the certificate to the issuer's public key.

## make-chained-certificate-authority.sh
#!/usr/bin/env bash
set -euo pipefail

# https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/

echo 'Step 1: Create OpenSSL Root CA directory structure ...'

echo -n '- Create directory structure ... '
mkdir -p certificate-authorities/root/{certs,crl,newcerts,private,csr}
mkdir -p certificate-authorities/intermediate/{certs,crl,newcerts,private,csr}
echo 'Done!'

echo -n '- Create serial files ... '
echo 1000 > certificate-authorities/root/serial
echo 1000 > certificate-authorities/intermediate/serial
echo 'Done!'

echo -n '- Create index files ... '
touch certificate-authorities/root/index.txt
touch certificate-authorities/intermediate/index.txt
echo 'Done!'

echo 'Step 1: Done!'

echo 'Step 2: Skipped!'

echo 'Step 3: Generate the root CA key pair and certificate ...'

echo -n '- Create root CA private key ... '
openssl genrsa -out certificate-authorities/root/private/ca.key.pem 4096
chmod 400 certificate-authorities/root/private/ca.key.pem
# openssl rsa -noout -text -in certificate-authorities/root/private/ca.key.pem
echo 'Done!'

echo -n '- Create root CA certificate ... '
openssl req -config root.openssl.cnf -key certificate-authorities/root/private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certificate-authorities/root/certs/ca.cert.pem
chmod 444 certificate-authorities/root/certs/ca.cert.pem
# openssl x509 -noout -text -in certificate-authorities/root/certs/ca.cert.pem
echo 'Done!'

echo 'Step 3: Done!'

echo 'Step 4: Generate the intermediate CA key pair and certificate ...'

echo -n '- Create intermediate CA private key ... '
openssl genrsa -out certificate-authorities/intermediate/private/intermediate.key.pem 4096
chmod 400 certificate-authorities/intermediate/private/intermediate.key.pem
# openssl x509 -noout -text -in certificate-authorities/intermediate/private/intermediate.key.pem
echo 'Done!'

echo -n '- Create intermediate CA certificate signing request ... '
openssl req -config intermediate.openssl.cnf -key certificate-authorities/intermediate/private/intermediate.key.pem -new -sha256 -out certificate-authorities/intermediate/certs/intermediate.csr.pem
echo 'Done!'

echo -n '- Sign intermediate CSR with root CA key ... '
openssl ca -batch -config root.openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in certificate-authorities/intermediate/certs/intermediate.csr.pem -out certificate-authorities/intermediate/certs/intermediate.cert.pem
chmod 444 certificate-authorities/intermediate/certs/intermediate.cert.pem
# openssl x509 -noout -text -in certificate-authorities/intermediate/certs/intermediate.cert.pem
echo 'Done!'

# echo -n '- Verify intermediate certificate ... '
# openssl verify -CAfile certificate-authorities/root/certs/ca.cert.pem certificate-authorities/intermediate/certs/intermediate.cert.pem
# echo 'Done!'

echo 'Step 4: Done!'

echo 'Step 5: Generate OpenSSL Create Certificate Chain (Certificate Bundle) ...'
cat certificate-authorities/intermediate/certs/intermediate.cert.pem certificate-authorities/root/certs/ca.cert.pem > certificate-authorities/intermediate/certs/ca-chain.cert.pem
# openssl verify -CAfile certificate-authorities/intermediate/certs/ca-chain.cert.pem certificate-authorities/intermediate/certs/intermediate.cert.pem
echo 'Step 5: Done!'

echo 'Step 6: Generate and sign server certificate using Intermediate CA ...'

echo -n '- Create server private key ... '
openssl genpkey -algorithm RSA -out certificate-authorities/intermediate/private/www.contoso.com.key.pem
chmod 400 certificate-authorities/intermediate/private/www.contoso.com.key.pem
echo 'Done!'

echo -n '- Create server certificate signing request ... '
openssl req -config intermediate.openssl.cnf -key certificate-authorities/intermediate/private/www.contoso.com.key.pem -new -sha256 -out certificate-authorities/intermediate/csr/www.contoso.com.csr.pem -subj "/C=FR/ST=Ile-de-France/L=Paris/O=Contoso Corporation/OU=IT Department/CN=www.contoso.com"
echo 'Done!'

echo -n '- Sign server CSR with intermediate CA key ... '
openssl ca -batch -config intermediate.openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in certificate-authorities/intermediate/csr/www.contoso.com.csr.pem -out certificate-authorities/intermediate/certs/www.contoso.com.cert.pem
chmod 444 certificate-authorities/intermediate/certs/www.contoso.com.cert.pem
# openssl x509 -noout -text -in certificate-authorities/intermediate/certs/www.contoso.com.cert.pem
echo 'Done!'

echo 'Step 6: Done!'

cat certificate-authorities/intermediate/certs/www.contoso.com.cert.pem certificate-authorities/intermediate/certs/ca-chain.cert.pem > www.contoso.com.cert-chain.pem
cat certificate-authorities/intermediate/private/www.contoso.com.key.pem www.contoso.com.cert-chain.pem > www.contoso.com.private-key-and-cert-chain.pem

## root.openssl.cnf
[ ca ]                                                   # The default CA section
default_ca = CA_default                                  # The default CA name

[ CA_default ]                                           # Default settings for the CA
dir               = certificate-authorities/root         # CA directory
certs             = $dir/certs                           # Certificates directory
crl_dir           = $dir/crl                             # CRL directory
new_certs_dir     = $dir/newcerts                        # New certificates directory
database          = $dir/index.txt                       # Certificate index file
serial            = $dir/serial                          # Serial number file
RANDFILE          = $dir/private/.rand                   # Random number file
private_key       = $dir/private/ca.key.pem              # Root CA private key
certificate       = $dir/certs/ca.cert.pem               # Root CA certificate
crl               = $dir/crl/ca.crl.pem                  # Root CA CRL
crlnumber         = $dir/crlnumber                       # Root CA CRL number
crl_extensions    = crl_ext                              # CRL extensions
default_crl_days  = 30                                   # Default CRL validity days
default_md        = sha256                               # Default message digest
preserve          = no                                   # Preserve existing extensions
email_in_dn       = no                                   # Exclude email from the DN
name_opt          = ca_default                           # Formatting options for names
cert_opt          = ca_default                           # Certificate output options
policy            = policy_strict                        # Certificate policy
unique_subject    = no                                   # Allow multiple certs with the same DN

[ policy_strict ]                                        # Policy for stricter validation
countryName             = match                          # Must match the issuer's country
stateOrProvinceName     = match                          # Must match the issuer's state
organizationName        = match                          # Must match the issuer's organization
organizationalUnitName  = optional                       # Organizational unit is optional
commonName              = supplied                       # Must provide a common name
emailAddress            = optional                       # Email address is optional

[ req ]                                                  # Request settings
default_bits        = 2048                               # Default key size
distinguished_name  = req_distinguished_name             # Default DN template
string_mask         = utf8only                           # UTF-8 encoding
default_md          = sha256                             # Default message digest
prompt              = no                                 # Non-interactive mode

[ req_distinguished_name ]                               # Template for the DN in the CSR
countryName             = FR
stateOrProvinceName     = Ile-de-France
localityName            = Paris
0.organizationName      = Contoso Corporation
organizationalUnitName  = IT Department
commonName              = Contoso Corporation Root CA
emailAddress            = admin@contoso.com

[ v3_ca ]                                           # Root CA certificate extensions
subjectKeyIdentifier = hash                         # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer        # Authority key identifier
basicConstraints = critical, CA:true                # Basic constraints for a CA
keyUsage = critical, keyCertSign, cRLSign           # Key usage for a CA

[ crl_ext ]                                         # CRL extensions
authorityKeyIdentifier = keyid:always,issuer        # Authority key identifier

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	[ ca ] # The default CA section
	default_ca = CA_default # The default CA name

	[ CA_default ] # Default settings for the intermediate CA
	dir = certificate-authorities/intermediate # Intermediate CA directory
	certs = $dir/certs # Certificates directory
	crl_dir = $dir/crl # CRL directory
	new_certs_dir = $dir/newcerts # New certificates directory
	database = $dir/index.txt # Certificate index file
	serial = $dir/serial # Serial number file
	RANDFILE = $dir/private/.rand # Random number file
	private_key = $dir/private/intermediate.key.pem # Intermediate CA private key
	certificate = $dir/certs/intermediate.cert.pem # Intermediate CA certificate
	crl = $dir/crl/intermediate.crl.pem # Intermediate CA CRL
	crlnumber = $dir/crlnumber # Intermediate CA CRL number
	crl_extensions = crl_ext # CRL extensions
	default_crl_days = 30 # Default CRL validity days
	default_md = sha256 # Default message digest
	preserve = no # Preserve existing extensions
	email_in_dn = no # Exclude email from the DN
	name_opt = ca_default # Formatting options for names
	cert_opt = ca_default # Certificate output options
	policy = policy_loose # Certificate policy

	[ policy_loose ] # Policy for less strict validation
	countryName = optional # Country is optional
	stateOrProvinceName = optional # State or province is optional
	localityName = optional # Locality is optional
	organizationName = optional # Organization is optional
	organizationalUnitName = optional # Organizational unit is optional
	commonName = supplied # Must provide a common name
	emailAddress = optional # Email address is optional

	[ req ] # Request settings
	default_bits = 2048 # Default key size
	distinguished_name = req_distinguished_name # Default DN template
	string_mask = utf8only # UTF-8 encoding
	default_md = sha256 # Default message digest
	x509_extensions = v3_intermediate_ca # Extensions for intermediate CA certificate
	prompt = no

	[ req_distinguished_name ] # Template for the DN in the CSR
	countryName = FR
	stateOrProvinceName = Ile-de-France
	localityName = Paris
	0.organizationName = Contoso Corporation
	organizationalUnitName = IT Department
	commonName = Contoso Corporation Intermediate CA
	emailAddress = admin@contoso.com

	[ v3_intermediate_ca ] # Intermediate CA certificate extensions
	subjectKeyIdentifier = hash # Subject key identifier
	authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
	basicConstraints = critical, CA:true, pathlen:0 # Basic constraints for a CA
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA

	[ crl_ext ] # CRL extensions
	authorityKeyIdentifier=keyid:always # Authority key identifier

	[ server_cert ] # Server certificate extensions
	basicConstraints = CA:FALSE # Not a CA certificate
	nsCertType = server # Server certificate type
	keyUsage = critical, digitalSignature, keyEncipherment # Key usage for a server cert
	extendedKeyUsage = serverAuth # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
	authorityKeyIdentifier = keyid,issuer # Authority key identifier linking the certificate to the issuer's public key.
	#!/usr/bin/env bash
	set -euo pipefail

	# https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/

	echo 'Step 1: Create OpenSSL Root CA directory structure ...'

	echo -n '- Create directory structure ... '
	mkdir -p certificate-authorities/root/{certs,crl,newcerts,private,csr}
	mkdir -p certificate-authorities/intermediate/{certs,crl,newcerts,private,csr}
	echo 'Done!'

	echo -n '- Create serial files ... '
	echo 1000 > certificate-authorities/root/serial
	echo 1000 > certificate-authorities/intermediate/serial
	echo 'Done!'

	echo -n '- Create index files ... '
	touch certificate-authorities/root/index.txt
	touch certificate-authorities/intermediate/index.txt
	echo 'Done!'

	echo 'Step 1: Done!'

	echo 'Step 2: Skipped!'

	echo 'Step 3: Generate the root CA key pair and certificate ...'

	echo -n '- Create root CA private key ... '
	openssl genrsa -out certificate-authorities/root/private/ca.key.pem 4096
	chmod 400 certificate-authorities/root/private/ca.key.pem
	# openssl rsa -noout -text -in certificate-authorities/root/private/ca.key.pem
	echo 'Done!'

	echo -n '- Create root CA certificate ... '
	openssl req -config root.openssl.cnf -key certificate-authorities/root/private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certificate-authorities/root/certs/ca.cert.pem
	chmod 444 certificate-authorities/root/certs/ca.cert.pem
	# openssl x509 -noout -text -in certificate-authorities/root/certs/ca.cert.pem
	echo 'Done!'

	echo 'Step 3: Done!'

	echo 'Step 4: Generate the intermediate CA key pair and certificate ...'

	echo -n '- Create intermediate CA private key ... '
	openssl genrsa -out certificate-authorities/intermediate/private/intermediate.key.pem 4096
	chmod 400 certificate-authorities/intermediate/private/intermediate.key.pem
	# openssl x509 -noout -text -in certificate-authorities/intermediate/private/intermediate.key.pem
	echo 'Done!'

	echo -n '- Create intermediate CA certificate signing request ... '
	openssl req -config intermediate.openssl.cnf -key certificate-authorities/intermediate/private/intermediate.key.pem -new -sha256 -out certificate-authorities/intermediate/certs/intermediate.csr.pem
	echo 'Done!'

	echo -n '- Sign intermediate CSR with root CA key ... '
	openssl ca -batch -config root.openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in certificate-authorities/intermediate/certs/intermediate.csr.pem -out certificate-authorities/intermediate/certs/intermediate.cert.pem
	chmod 444 certificate-authorities/intermediate/certs/intermediate.cert.pem
	# openssl x509 -noout -text -in certificate-authorities/intermediate/certs/intermediate.cert.pem
	echo 'Done!'

	# echo -n '- Verify intermediate certificate ... '
	# openssl verify -CAfile certificate-authorities/root/certs/ca.cert.pem certificate-authorities/intermediate/certs/intermediate.cert.pem
	# echo 'Done!'

	echo 'Step 4: Done!'

	echo 'Step 5: Generate OpenSSL Create Certificate Chain (Certificate Bundle) ...'
	cat certificate-authorities/intermediate/certs/intermediate.cert.pem certificate-authorities/root/certs/ca.cert.pem > certificate-authorities/intermediate/certs/ca-chain.cert.pem
	# openssl verify -CAfile certificate-authorities/intermediate/certs/ca-chain.cert.pem certificate-authorities/intermediate/certs/intermediate.cert.pem
	echo 'Step 5: Done!'

	echo 'Step 6: Generate and sign server certificate using Intermediate CA ...'

	echo -n '- Create server private key ... '
	openssl genpkey -algorithm RSA -out certificate-authorities/intermediate/private/www.contoso.com.key.pem
	chmod 400 certificate-authorities/intermediate/private/www.contoso.com.key.pem
	echo 'Done!'

	echo -n '- Create server certificate signing request ... '
	openssl req -config intermediate.openssl.cnf -key certificate-authorities/intermediate/private/www.contoso.com.key.pem -new -sha256 -out certificate-authorities/intermediate/csr/www.contoso.com.csr.pem -subj "/C=FR/ST=Ile-de-France/L=Paris/O=Contoso Corporation/OU=IT Department/CN=www.contoso.com"
	echo 'Done!'

	echo -n '- Sign server CSR with intermediate CA key ... '
	openssl ca -batch -config intermediate.openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in certificate-authorities/intermediate/csr/www.contoso.com.csr.pem -out certificate-authorities/intermediate/certs/www.contoso.com.cert.pem
	chmod 444 certificate-authorities/intermediate/certs/www.contoso.com.cert.pem
	# openssl x509 -noout -text -in certificate-authorities/intermediate/certs/www.contoso.com.cert.pem
	echo 'Done!'

	echo 'Step 6: Done!'

	cat certificate-authorities/intermediate/certs/www.contoso.com.cert.pem certificate-authorities/intermediate/certs/ca-chain.cert.pem > www.contoso.com.cert-chain.pem
	cat certificate-authorities/intermediate/private/www.contoso.com.key.pem www.contoso.com.cert-chain.pem > www.contoso.com.private-key-and-cert-chain.pem