warning: do not use the certificates produced by this tool in production. This is for testing purposes only

gen.sh

# warning: do not use the certificates produced by this tool in production. This is for testing purposes only

# certificate authority
openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 1826 -extensions v3_ca -key RootCA.key -out RootCA.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in RootCA.key -out RootCA.key.pkcs8


# intermediate CA
openssl genrsa -out IntermediateCA.key 4096
openssl req -new -key IntermediateCA.key -out IntermediateCA.csr
openssl x509 -req -days 1000 -extfile ./openssl.cnf -extensions v3_intermediate_ca -in IntermediateCA.csr -CA RootCA.crt -CAkey RootCA.key -out IntermediateCA.crt -set_serial 01
openssl verify -CAfile RootCA.crt IntermediateCA.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in IntermediateCA.key -out IntermediateCA.key.pkcs8

# server certificate from IntermediateCA
openssl genrsa -out Server.key 4096
openssl req -new -key Server.key -out Server.csr
openssl x509 -req -extensions server_cert -extfile ./openssl.cnf -days 1000 -in Server.csr -CA IntermediateCA.crt -CAkey IntermediateCA.key -set_serial 02 -out Server.crt
openssl verify -CAfile RootCA.crt -untrusted IntermediateCA.crt Server.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in Server.key -out Server.key.pkcs8

# server certificate from RootCA
openssl genrsa -out Server-Root.key 4096
openssl req -new -key Server-Root.key -out Server-Root.csr
openssl x509 -req -extensions server_cert -extfile ./openssl.cnf -days 1000 -in Server-Root.csr -CA RootCA.crt -CAkey RootCA.key -set_serial 03 -out Server-Root.crt
openssl verify -CAfile RootCA.crt Server-Root.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in Server-Root.key -out Server-Root.key.pkcs8


# client certificate from IntermediateCA
openssl genrsa -out Client.key 4096
openssl req -new -key Client.key -out Client.csr
openssl x509 -req -extensions usr_cert -extfile ./openssl.cnf -days 1000 -in Client.csr -CA IntermediateCA.crt -CAkey IntermediateCA.key -set_serial 04 -out Client.crt
openssl verify -CAfile RootCA.crt -untrusted IntermediateCA.crt Client.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in Client.key -out Client.key.pkcs8

openssl.cnf

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth