#!/bin/bash set -e rm -rf --one-file-system ca certs mkdir -p ca/root-ca/private ca/root-ca/db crl certs chmod 700 ca/root-ca/private cp /dev/null ca/root-ca/db/root-ca.db cp /dev/null ca/root-ca/db/root-ca.db.attr echo 01 > ca/root-ca/db/root-ca.crt.srl echo 01 > ca/root-ca/db/root-ca.crl.srl CA=root-ca openssl req -new \ -config etc/ca-ssl.conf \ -out ca/root-ca.csr \ -keyout ca/root-ca/private/root-ca.key CA=root-ca openssl ca -batch -name root_ca -selfsign \ -config etc/ca-ssl.conf \ -in ca/root-ca.csr \ -out ca/root-ca.crt \ -extensions root_ca_ext mkdir -p ca/signing-ca/private ca/signing-ca/db crl certs chmod 700 ca/signing-ca/private cp /dev/null ca/signing-ca/db/signing-ca.db cp /dev/null ca/signing-ca/db/signing-ca.db.attr echo 01 > ca/signing-ca/db/signing-ca.crt.srl echo 01 > ca/signing-ca/db/signing-ca.crl.srl CA=signing-ca openssl req -new \ -config etc/ca-ssl.conf \ -out ca/signing-ca.csr \ -keyout ca/signing-ca/private/signing-ca.key CA=root-ca openssl ca -batch -name root_ca \ -config etc/ca-ssl.conf \ -in ca/signing-ca.csr \ -out ca/signing-ca.crt \ -extensions signing_ca_ext SAN=DNS:test.local \ CN=test.local \ openssl req -new \ -config etc/server-ssl.conf \ -out /tmp/nginx.csr \ -keyout /tmp/nginx.key CA=signing-ca openssl ca -batch -name signing_ca \ -config etc/ca-ssl.conf \ -in /tmp/nginx.csr \ -out /tmp/nginx.crt \ -extensions server_ext cat /tmp/nginx.crt ca/signing-ca.crt ca/root-ca.crt > /tmp/nginx.chain sudo systemctl restart nginx curl -Ss https://test.local --cacert ca/root-ca.crt exit 0 openssl ca \ -config etc/ca-ssl.conf \ -revoke ca/signing-ca/01.pem \ -crl_reason superseded