DELTA-CA-WSL

Create CA directory structure.
sudo mkdir -p /etc/ssl/delta/{certs,crl,csr,newcerts,private}
        # certs holds issued certificates.
        # crl is for revoked certs.
        # csr holds our requests.
        # newcerts tracks issued certs.
        # private holds your CA's private key.
        # index.txt and serial are OpenSSL's database files.
sudo chmod 700 /etc/ssl/delta/private
sudo cp -a /etc/ssl/openssl.cnf /etc/ssl/delta
        # Set "dir" to: /etc/ssl/delta
        # Set "default_days" to: 3650
        # Set "default_md" to: sha256
        # [ req_distinguished_name ]
        # Set "countryName_default" to: NL
        # Set "stateOrProvinceName_default" to: Friesland
        # Set "0.organizationName_default" to: Delta Software Labs
        # Set "organizationalUnitName_default" to: IT Department

echo 1000 | sudo tee /etc/ssl/delta/serial
echo 1000 | sudo tee /etc/ssl/delta/crlnumber                                   # ???
sudo touch /etc/ssl/delta/index.txt

# ~/my-ca/ca.cnf file
EOF
[ ca ]
default_ca = CA_default

[ CA_default ]
dir             = ~/my-ca               # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
new_certs_dir   = $dir/newcerts         # Default place for new certs.
database        = $dir/index.txt        # database index file.
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl/ca.crl.pem   # The current CRL
private_key     = $dir/private/ca.key.pem # The private key
certificate     = $dir/certs/ca.crt.pem # The CA certificate
policy          = policy_strict
x509_extensions = v3_ca
default_days    = 365                   # How long to certify for
default_crl_days= 30                    # How long before next CRL
default_md      = sha256                # Use SHA-256 for digests
preserve        = no                    # Keep passed DN ordering

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
EOF

# Generate CA private key.
sudo openssl genrsa -aes256 -out /etc/ssl/myca/private/ca.key 4096
        openssl genrsa -aes256 -out ~/my-ca/private/ca.key.pem 4096
        chmod 400 ~/my-ca/private/ca.key.pem
                sudo openssl genrsa -aes256 -out /etc/ssl/delta/private/cakey.pem 4096
                # Enter PEM pass phrase:

# Generate CA root certificate.
openssl req -x509 -new -nodes -key /etc/ssl/myca/private/ca.key -sha256 -days 3650 -out /etc/ssl/myca/certs/ca.crt
        openssl req -config ~/my-ca/ca.cnf -new -x509 -days 3650 -sha256 -extensions v3_ca -key ~/my-ca/private/ca.key.pem -out ~/my-ca/certs/ca.crt.pem -subj "/CN=My Root CA"
                sudo openssl req -new -x509 -sha256 \
                        -config /etc/ssl/delta/opensl.conf \
                        -key /etc/ssl/delta/private/cakey.pem \
                        -out /etc/ssl/delta/cacert.pem \
                        -subj "/C=NL/ST=Friesland/L=Poppenwier/O=Delta Software Labs/CN=Delta Root CA"
                        # Enter the pass phrase.

                # Save pass phrase in KeePass Password Manager.

echo 1000 > /etc/ssl/myca/serial
touch /etc/ssl/myca/index.txt

# Backup.
tar cfz /mnt/c/Users/Douwe/Dropbox/delta-ca.tgz /etc/ssl/delta

# Create a Certificate Signing Request (CSR): On the server or client needing a certificate, generate its private key and CSR using openssl.

# Sign the CSR with the CA.
openssl ca -config /etc/ssl/openssl.cnf -in server.csr -out /etc/ssl/myca/certs/server.crt -days 365
        openssl ca -config ~/my-ca/ca.cnf -in <csr_file> -out <cert_file>.

# Revoke a certificate.
openssl ca -config /etc/ssl/openssl.cnf -revoke /etc/ssl/myca/certs/server.crt
        openssl ca -config ~/my-ca/ca.cnf -revoke ~/my-ca/newcerts/client.crt.pem

# Update CRL after revocation.
openssl ca -config ~/my-ca/ca.cnf -gencrl -out ~/my-ca/crl/ca.crl.pem

# Backup.
tar cfz /mnt/c/Users/Douwe/Dropbox/delta-ca.tgz /etc/ssl/delta

# Generate the CRL.
openssl ca -config /etc/ssl/openssl.cnf -gencrl -out /etc/ssl/myca/crl/crl.pem
        openssl ca -config ~/my-ca/ca.cnf -gencrl -out ~/my-ca/crl/ca.crl.pem

# Distribute the CRL:
# Copy crl.pem to servers and clients that need to validate certificates, placing it in a location accessible by applications (e.g., web servers, VPN clients).

# Update applications:
# Configure applications to use the generated crl.pem for certificate validation.

# Backup.
tar cfz /mnt/c/Users/Douwe/Dropbox/delta-ca.tgz /etc/ssl/delta

sudo rm -rf /etc/ssl/delta
sudo tar xfz /mnt/c/Users/Douwe/Dropbox/delta-ca.tgz