---
creation date: 2023-11-23
tags: [cert,ssl,openssl,server,linux]
---

```shell
#!/usr/bin/env bash
#
# Based on https://gist.github.com/mtigas/952344

CLIENT_ID="user";
CLIENT_SERIAL="01";

echo "Create a Certificate Authority root";

openssl genrsa -aes256 -passout pass:xxxx -out ca.pass.key 4096
openssl rsa -passin pass:xxxx -in ca.pass.key -out ca.key
rm ca.pass.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem

echo "Create the Client Key and CSR";

openssl genrsa -aes256 -passout pass:xxxx -out ${CLIENT_ID}.pass.key 4096
openssl rsa -passin pass:xxxx -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.key
rm ${CLIENT_ID}.pass.key
openssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr
openssl x509 -req -days 3650 -in ${CLIENT_ID}.csr -CA ca.pem -CAkey ca.key -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem
cat ${CLIENT_ID}.key ${CLIENT_ID}.pem ca.pem > ${CLIENT_ID}.full.pem


echo "Bundle client key into a PFX file";
openssl pkcs12 -export -out ${CLIENT_ID}.full.pfx -inkey ${CLIENT_ID}.key -in ${CLIENT_ID}.pem -certfile ca.pem


echo "use ca.pem on nginx, import ${CLIENT_ID}.full.pfx into browser"

```