This shell script creates a self-signed intermediate Certificate Authority (CA) using OpenSSL, generating a private key, CSR, and certificate, and creating a certificate chain with the root CA's certificate.

This shell script creates a self-signed intermediate Certificate Authority (CA) using OpenSSL by generating a private key, CSR, and certificate. The script then creates a certificate chain by concatenating the intermediate CA's certificate and the root CA's certificate.

Cell 1

ROOT=/Users/briancullinan/jupytangular2/Utilities/ca

# prepare intermediate CA
mkdir $ROOT/intermediate
cd $ROOT/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > $ROOT/intermediate/crlnumber

# create intermediate configuration
cp $ROOT/openssl.cnf $ROOT/intermediate/openssl.cnf
echo "
[ CA_default ]
dir             = /Users/briancullinan/jupytangular2/Utilities/ca/intermediate
private_key     = \$dir/private/intermediate.key.pem
certificate     = \$dir/certs/intermediate.cert.pem
crl             = \$dir/crl/intermediate.crl.pem
policy          = policy_loose
" >> $ROOT/intermediate/openssl.cnf

# intermediate private CA key
cd $ROOT
openssl genrsa -aes256 -passout pass:x \
      -out intermediate/private/intermediate.key.pem 4096
# create a intermediate csr
cd $ROOT
openssl req -config intermediate/openssl.cnf -new -sha256 \
      -passin pass:x \
      -subj "/C=US/ST=Who/L=Is/O=John/OU=Galt/CN=localhost" \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem
# sign the intermediate cert with root CA
cd $ROOT

openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -passin pass:x \
      -batch \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem

chmod 744 intermediate/certs/intermediate.cert.pem
# verify intermediate CA
openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem
      
openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem
      
# create certificate chain
cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 744 intermediate/certs/ca-chain.cert.pem

bash
#!/bin/bash

# Define constants
ROOT="/Users/briancullinan/jupytangular2/Utilities/ca"
PRIVATE_KEY_PASS="x"
ROOT_CA_CERT="${ROOT}/certs/ca.cert.pem"

# Create intermediate CA directory
mkdir -p "${ROOT}/intermediate"
cd "${ROOT}/intermediate"

# Create intermediate CA structure
mkdir -p certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > "${ROOT}/intermediate/crlnumber"

# Create intermediate configuration
cp "${ROOT}/openssl.cnf" "${ROOT}/intermediate/openssl.cnf"

# Append configuration for intermediate CA
echo "
[ CA_default ]
dir             = ${ROOT}/intermediate
private_key     = \$dir/private/intermediate.key.pem
certificate     = \$dir/certs/intermediate.cert.pem
crl             = \$dir/crl/intermediate.crl.pem
policy          = policy_loose
" >> "${ROOT}/intermediate/openssl.cnf"

# Generate intermediate private CA key
openssl genrsa -aes256 -passout pass:${PRIVATE_KEY_PASS} \
      -out "${ROOT}/intermediate/private/intermediate.key.pem" 4096

# Create a intermediate CSR
openssl req -config "${ROOT}/intermediate/openssl.cnf" -new -sha256 \
      -passin pass:${PRIVATE_KEY_PASS} \
      -subj "/C=US/ST=Who/L=Is/O=John/OU=Galt/CN=localhost" \
      -key "${ROOT}/intermediate/private/intermediate.key.pem" \
      -out "${ROOT}/intermediate/csr/intermediate.csr.pem"

# Sign the intermediate cert with root CA
openssl ca -config "${ROOT}/openssl.cnf" -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -passin pass:${PRIVATE_KEY_PASS} \
      -batch \
      -in "${ROOT}/intermediate/csr/intermediate.csr.pem" \
      -out "${ROOT}/intermediate/certs/intermediate.cert.pem"

# Update permissions
chmod 744 "${ROOT}/intermediate/certs/intermediate.cert.pem"

# Verify intermediate CA
echo "Intermediate CA Certificate:"
openssl x509 -noout -text \
      -in "${ROOT}/intermediate/certs/intermediate.cert.pem"

echo "Verify intermediate CA certificate:"
openssl verify -CAfile "${ROOT_CA_CERT}" \
      "${ROOT}/intermediate/certs/intermediate.cert.pem"

# Create certificate chain
cat "${ROOT}/intermediate/certs/intermediate.cert.pem" \
      "${ROOT_CA_CERT}" > "${ROOT}/intermediate/certs/ca-chain.cert.pem"

# Update permissions
chmod 744 "${ROOT}/intermediate/certs/ca-chain.cert.pem"

Code Breakdown

This shell script creates a self-signed intermediate Certificate Authority (CA) using OpenSSL. The script consists of the following sections:

1. Directory Setup

• Creates a directory intermediate and its subdirectories certs, crl, csr, and private within it.
• Sets permissions for the private directory to 700.
• Creates two empty files index.txt and serial in the intermediate directory.

2. Intermediate Configuration

• Copies the OpenSSL configuration file openssl.cnf from the root CA directory to the intermediate directory.
• Modifies the openssl.cnf file in the intermediate directory to specify the intermediate CA's directory, private key, certificate, and policy.

3. Intermediate Private Key and CSR

• Generates a 4096-bit RSA private key for the intermediate CA using OpenSSL.
• Creates a Certificate Signing Request (CSR) for the intermediate CA using OpenSSL.

4. Signing Intermediate Certificate

• Signs the intermediate CA's CSR with the root CA using OpenSSL.

5. Verification

• Verifies the intermediate CA's certificate using OpenSSL.

6. Certificate Chain Creation

• Creates a certificate chain by concatenating the intermediate CA's certificate and the root CA's certificate.
• Sets permissions for the certificate chain to 744.

The script uses the following commands:

• mkdir: Creates directories.
• cp: Copies files.
• chmod: Sets permissions.
• touch: Creates empty files.
• echo: Outputs text to a file.
• openssl: Runs OpenSSL commands for key and certificate generation and signing.

The script assumes that the OpenSSL configuration file openssl.cnf is present in the root CA directory and that the root CA's private key and certificate are available in the certs directory.