# Assumptions: easyrsa3 available in current dir, and functional openssl.
# This basic example puts the "offline" and "sub" PKI dirs on the same system.
# A real-world setup would use different systems and transport the public components.

# Build root CA:
EASYRSA_PKI=offline easyrsa init-pki
EASYRSA_PKI=offline easyrsa build-ca nopass

# Build sub-CA request:
EASYRSA_PKI=sub easyrsa init-pki
EASYRSA_PKI=sub easyrsa build-ca nopass subca

# Import the sub-CA request under the short-name "sub" on the offline PKI:
EASYRSA_PKI=offline easyrsa import-req sub/reqs/ca.req sub
# Then sign it as a CA:
EASYRSA_PKI=offline easyrsa sign-req ca sub
# Transport sub-CA cert to sub PKI:
cp offline/issued/sub.crt sub/ca.crt

# Generate and sign some requests on the sub-CA.
# Real-world use should import a CSR from the actual clients. We don't for brevity here.
EASYRSA_PKI=sub easyrsa gen-req server nopass
EASYRSA_PKI=sub easyrsa gen-req client nopass
# ./easyrsa sign-req <type> nameOfRequest
# client - A TLS client, suitable for a VPN user or web browser (web client)
# server - A TLS server, suitable for a VPN or web server
# ca - A intermediate CA, used when chaining multiple CAs together
# serverClient - A TLS server and TLS client
EASYRSA_PKI=sub easyrsa sign-req server server
EASYRSA_PKI=sub easyrsa sign-req client client

# Server bundle (server or client cert + Intermediate CA cert)
cat sub/issued/server.crt sub/ca.crt > server-bundle.crt
cat sub/issued/client.crt sub/ca.crt > client-bundle.crt

# Full chain (server cert + Intermediate + Root)
cat sub/issued/server.crt \
    sub/ca.crt \
    offline/ca.crt > server.full-chain.crt

# Create an updated CRL that contains all revoked certs up to that point
EASYRSA_PKI=sub easyrsa gen-crl

# Revoke cert
# Values accepted for option [ reason ]:
#    us | uns* | unspecified
#    kc | key* | keyCompromise
#    cc | ca*  | CACompromise
#    ac | aff* | affiliationChanged
#    ss | sup* | superseded
#    co | ces* | cessationOfOperation
#    ch | cer* | certificateHold

#EASYRSA_PKI=sub easyrsa revoke-issued <file_name_base> [ reason ]     # Revoke a current, issued certificate.
#EASYRSA_PKI=sub easyrsa revoke-expired <file_name_base> [ reason ]    # Revoke an old, expired certificate.
#EASYRSA_PKI=sub easyrsa revoke-renewed <file_name_base> [ reason ]    # Revoke an old, renewed certificate.