# Assumptions: easyrsa3 available in current dir, and functional openssl.
# This basic example puts the "offline" and "sub" PKI dirs on the same system.
# A real-world setup would use different systems and transport the public components.

# Build root CA:
EASYRSA_PKI=offline easyrsa init-pki
EASYRSA_PKI=offline easyrsa build-ca nopass

# Build sub-CA request:
EASYRSA_PKI=sub easyrsa init-pki
EASYRSA_PKI=sub easyrsa build-ca nopass subca

# Import the sub-CA request under the short-name "sub" on the offline PKI:
EASYRSA_PKI=offline easyrsa import-req sub/reqs/ca.req sub
# Then sign it as a CA:
EASYRSA_PKI=offline easyrsa sign-req ca sub
# Transport sub-CA cert to sub PKI:
cp offline/issued/sub.crt sub/ca.crt

# Generate and sign some requests on the sub-CA.
# Real-world use should import a CSR from the actual clients. We don't for brevity here.
EASYRSA_PKI=sub easyrsa gen-req server nopass
EASYRSA_PKI=sub easyrsa gen-req client nopass
EASYRSA_PKI=sub easyrsa sign-req server server
EASYRSA_PKI=sub easyrsa sign-req client client

# Server bundle (server or client cert + Intermediate CA cert)
cat sub/issued/server.crt sub/ca.crt > server-bundle.crt
cat sub/issued/client.crt sub/ca.crt > client-bundle.crt

# Full chain (server cert + Intermediate + Root)
cat sub/issued/server.crt \
    sub/ca.crt \
    offline/ca.crt > server.full-chain.crt