unixzen · February 22, 2023 13:51 · May 9, 2014 · May 9, 2014
diff --git a/setup.sh b/setup.sh
@@ -4,7 +4,7 @@
 
 # Build root CA:
 EASYRSA_PKI=offline ./easyrsa init-pki
-EASYRSA_PKI=offline ./easyrsa init-ca nopass
+EASYRSA_PKI=offline ./easyrsa build-ca nopass
 
 # Build sub-CA request:
 EASYRSA_PKI=sub ./easyrsa init-pki

diff --git a/setup.sh b/setup.sh
@@ -0,0 +1,29 @@
+# Assumptions: easyrsa3 available in current dir, and functional openssl.
+# This basic example puts the "offline" and "sub" PKI dirs on the same system.
+# A real-world setup would use different systems and transport the public components.
+
+# Build root CA:
+EASYRSA_PKI=offline ./easyrsa init-pki
+EASYRSA_PKI=offline ./easyrsa init-ca nopass
+
+# Build sub-CA request:
+EASYRSA_PKI=sub ./easyrsa init-pki
+EASYRSA_PKI=sub ./easyrsa build-ca nopass subca
+
+# Import the sub-CA request under the short-name "sub" on the offline PKI:
+EASYRSA_PKI=offline ./easyrsa import-req sub/reqs/ca.req sub
+# Then sign it as a CA:
+EASYRSA_PKI=offline ./easyrsa sign-req ca sub
+# Transport sub-CA cert to sub PKI:
+cp offline/issued/sub.crt sub/ca.crt
+
+# Generate and sign some requests on the sub-CA.
+# Real-world use should import a CSR from the actual clients. We don't for brevity here.
+EASYRSA_PKI=sub ./easyrsa gen-req server nopass
+EASYRSA_PKI=sub ./easyrsa gen-req client nopass
+EASYRSA_PKI=sub ./easyrsa sign-req server server
+EASYRSA_PKI=sub ./easyrsa sign-req client client
+
+# Finally, create "bundle" files for use at each entity (ie: server and client ends.)
+cat sub/issued/server.crt sub/ca.crt > server-bundle.crt
+cat sub/issued/client.crt sub/ca.crt > client-bundle.crt