-
-
Save jeffscrum/4bac3fa4a1b3953150b67e04fb9efcf6 to your computer and use it in GitHub Desktop.
Sub-CA example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumptions: easyrsa3 available in current dir, and functional openssl. | |
| # This basic example puts the "offline" and "sub" PKI dirs on the same system. | |
| # A real-world setup would use different systems and transport the public components. | |
| # Build root CA: | |
| EASYRSA_PKI=offline easyrsa init-pki | |
| EASYRSA_PKI=offline easyrsa build-ca nopass | |
| # Build sub-CA request: | |
| EASYRSA_PKI=sub easyrsa init-pki | |
| EASYRSA_PKI=sub easyrsa build-ca nopass subca | |
| # Import the sub-CA request under the short-name "sub" on the offline PKI: | |
| EASYRSA_PKI=offline easyrsa import-req sub/reqs/ca.req sub | |
| # Then sign it as a CA: | |
| EASYRSA_PKI=offline easyrsa sign-req ca sub | |
| # Transport sub-CA cert to sub PKI: | |
| cp offline/issued/sub.crt sub/ca.crt | |
| # Generate and sign some requests on the sub-CA. | |
| # Real-world use should import a CSR from the actual clients. We don't for brevity here. | |
| EASYRSA_PKI=sub easyrsa gen-req server nopass | |
| EASYRSA_PKI=sub easyrsa gen-req client nopass | |
| # ./easyrsa sign-req <type> nameOfRequest | |
| # client - A TLS client, suitable for a VPN user or web browser (web client) | |
| # server - A TLS server, suitable for a VPN or web server | |
| # ca - A intermediate CA, used when chaining multiple CAs together | |
| # serverClient - A TLS server and TLS client | |
| EASYRSA_PKI=sub easyrsa sign-req server server | |
| EASYRSA_PKI=sub easyrsa sign-req client client | |
| # Server bundle (server or client cert + Intermediate CA cert) | |
| cat sub/issued/server.crt sub/ca.crt > server-bundle.crt | |
| cat sub/issued/client.crt sub/ca.crt > client-bundle.crt | |
| # Full chain (server cert + Intermediate + Root) | |
| cat sub/issued/server.crt \ | |
| sub/ca.crt \ | |
| offline/ca.crt > server.full-chain.crt | |
| # Create an updated CRL that contains all revoked certs up to that point | |
| EASYRSA_PKI=sub easyrsa gen-crl | |
| # Revoke cert | |
| # Values accepted for option [ reason ]: | |
| # us | uns* | unspecified | |
| # kc | key* | keyCompromise | |
| # cc | ca* | CACompromise | |
| # ac | aff* | affiliationChanged | |
| # ss | sup* | superseded | |
| # co | ces* | cessationOfOperation | |
| # ch | cer* | certificateHold | |
| #EASYRSA_PKI=sub easyrsa revoke-issued <file_name_base> [ reason ] # Revoke a current, issued certificate. | |
| #EASYRSA_PKI=sub easyrsa revoke-expired <file_name_base> [ reason ] # Revoke an old, expired certificate. | |
| #EASYRSA_PKI=sub easyrsa revoke-renewed <file_name_base> [ reason ] # Revoke an old, renewed certificate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment