test-ca.sh

#!/bin/bash

cat > openssl.cnf <<EOF
[ ca ]
default_ca = ca_default

[ ca_default ]
dir = ./ca
certs = \$dir\certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/private/.rand

private_key = \$dir/private/ca.key.pem
certificate = \$dir/certs/ca.cert.pem

crlnumber = \$dir/crlnumber
crl = \$dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30

default_md = sha256

name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose

[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
string_mask = utf8only

default_md = sha256

x509_extensions = v3_ca

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ crl_ext ]
authorityKeyIdentifier = keyid:always

[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
EOF

mkdir ca
cd ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

openssl req -config ../openssl.cnf -x509 -newkey rsa:4096 -keyout private/ca.key.pem -out certs/ca.cert.pem -extensions v3_ca -sha256 -days 365 -subj '/CN=My Corp Root CA' -nodes

cd ..

openssl req -new -newkey rsa:1024 -nodes -keyout something.key.pem -out something.csr.pem -subj '/CN=something' -nodes
openssl ca -batch -config openssl.cnf -out something.cert.pem -infiles something.csr.pem