# Assumptions: easyrsa3 available in current dir, and functional openssl.
# This basic example puts the "offline" and "sub" PKI dirs on the same system.
# A real-world setup would use different systems and transport the public components.

# Build root CA:
EASYRSA_PKI=offline ./easyrsa init-pki
EASYRSA_PKI=offline ./easyrsa build-ca nopass

# Build sub-CA request:
EASYRSA_PKI=sub ./easyrsa init-pki
EASYRSA_PKI=sub ./easyrsa build-ca nopass subca

# Import the sub-CA request under the short-name "sub" on the offline PKI:
EASYRSA_PKI=offline ./easyrsa import-req sub/reqs/ca.req sub
# Then sign it as a CA:
EASYRSA_PKI=offline ./easyrsa sign-req ca sub
# Transport sub-CA cert to sub PKI:
cp offline/issued/sub.crt sub/ca.crt

# Generate and sign some requests on the sub-CA.
# Real-world use should import a CSR from the actual clients. We don't for brevity here.
EASYRSA_PKI=sub ./easyrsa gen-req server nopass
EASYRSA_PKI=sub ./easyrsa gen-req client nopass
EASYRSA_PKI=sub ./easyrsa sign-req server server
EASYRSA_PKI=sub ./easyrsa sign-req client client

# Finally, create "bundle" files for use at each entity (ie: server and client ends.)
cat sub/issued/server.crt sub/ca.crt > server-bundle.crt
cat sub/issued/client.crt sub/ca.crt > client-bundle.crt