Create SERVER and CLIENT certificates from intermediate CA.

gistfile1.txt

Create CA structure:
https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html

cd ~/ca

#For SERVER Cert
#===============

NAME=workstation002.example.com

# Create a key
openssl genrsa \
      -out intermediate/private/${NAME}.key.pem 2048

# Create CSR
openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/${NAME}.key.pem \
      -new -sha256 -subj "/C=ES/O=CA Pruebas/CN=${NAME}" \
	  -addext "subjectAltName = DNS:${NAME}" \
	  -out intermediate/csr/${NAME}.csr.pem

# Sign CSR
#If the certificate is going to be used on a server, use the server_cert
openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/${NAME}.csr.pem \
      -out intermediate/certs/${NAME}.cert.pem


# Create PKCS12
openssl pkcs12 -export -inkey intermediate/private/${NAME}.key.pem \
      -in intermediate/certs/${NAME}.cert.pem \
	  -out intermediate/private/${NAME}.p12 \
	  -name ${NAME}




#For CLIENT Cert
#===============

NAME=workstation002

# Create a key
openssl genrsa \
      -out intermediate/private/${NAME}.key.pem 2048

# Create CSR
openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/${NAME}.key.pem \
      -new -sha256 -subj "/C=ES/O=WebPadlock/CN=${NAME}" \
	  -out intermediate/csr/${NAME}.csr.pem


# Sign CSR
#If the certificate is going to be used on a server, use the server_cert
openssl ca -config intermediate/openssl.cnf \
      -extensions usr_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/${NAME}.csr.pem \
      -out intermediate/certs/${NAME}.cert.pem

# Create PKCS12
openssl pkcs12 -export -inkey intermediate/private/${NAME}.key.pem \
      -in intermediate/certs/${NAME}.cert.pem \
	  -out intermediate/private/${NAME}.p12 \
	  -name ${NAME}