-
-
Save jeffscrum/4bac3fa4a1b3953150b67e04fb9efcf6 to your computer and use it in GitHub Desktop.
Sub-CA example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Assumptions: easyrsa3 available in current dir, and functional openssl. | |
| # This basic example puts the "offline" and "sub" PKI dirs on the same system. | |
| # A real-world setup would use different systems and transport the public components. | |
| # Build root CA: | |
| EASYRSA_PKI=offline easyrsa init-pki | |
| EASYRSA_PKI=offline easyrsa build-ca nopass | |
| # Build sub-CA request: | |
| EASYRSA_PKI=sub easyrsa init-pki | |
| EASYRSA_PKI=sub easyrsa build-ca nopass subca | |
| # Import the sub-CA request under the short-name "sub" on the offline PKI: | |
| EASYRSA_PKI=offline easyrsa import-req sub/reqs/ca.req sub | |
| # Then sign it as a CA: | |
| EASYRSA_PKI=offline easyrsa sign-req ca sub | |
| # Transport sub-CA cert to sub PKI: | |
| cp offline/issued/sub.crt sub/ca.crt | |
| # Generate and sign some requests on the sub-CA. | |
| # Real-world use should import a CSR from the actual clients. We don't for brevity here. | |
| EASYRSA_PKI=sub easyrsa gen-req server nopass | |
| EASYRSA_PKI=sub easyrsa gen-req client nopass | |
| EASYRSA_PKI=sub easyrsa sign-req server server | |
| EASYRSA_PKI=sub easyrsa sign-req client client | |
| # Server bundle (server or client cert + Intermediate CA cert) | |
| cat sub/issued/server.crt sub/ca.crt > server-bundle.crt | |
| cat sub/issued/client.crt sub/ca.crt > client-bundle.crt | |
| # Full chain (server cert + Intermediate + Root) | |
| cat sub/issued/server.crt \ | |
| sub/ca.crt \ | |
| offline/ca.crt > server.full-chain.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment