OpenSSL certificate chain

openssl_certificate_chain.sh

#!/bin/bash

# Original source: https://smartnets.wordpress.com/2017/04/27/create-certificate-chain-and-sign-certificates-using-openssl/
# RootCA.crt and IntermediateCA.crt must be manually trusted in the certificate store
# The Server.pfx is optional and can be imported directly in IIS certificates settings
# The Server.csr is optional

openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 1826 -key RootCA.key -out RootCA.crt
openssl genrsa -out IntermediateCA.key 4096
openssl req -new -key IntermediateCA.key -out IntermediateCA.csr
openssl x509 -req -days 1000 -in IntermediateCA.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out IntermediateCA.crt
openssl genrsa -out Server.key 2048
openssl req -new -key Server.key -out Server.csr
openssl x509 -req -days 1000 -in Server.csr -CA IntermediateCA.crt -CAkey IntermediateCA.key -set_serial 0101 -out Server.crt -sha1
openssl pkcs12 -export -out Server.pfx -inkey Server.key -in Server.crt -certfile IntermediateCA.crt
openssl x509 -x509toreq -in Server.crt -out Server.csr -signkey Server.key