# Creating the root pair # Create necessary folders mkdir /etc/ssl/ca cd /etc/ssl/ca mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial # Configuration file Edit https://paste.ee/p/HNaSG to your needs and copy it to /etc/ssl/ca # Create root key openssl genrsa -aes256 -out private/TrustedRoot.key 4096 chmod 400 private/TrustedRoot.key # Create root certificate openssl req -config openssl.cnf -key private/TrustedRoot.key -new -x509 -days 9000 -sha256 -extensions v3_ca -out certs/TrustedRoot.crt chmod 444 certs/TrustedRoot.crt # Verify the root certificate openssl x509 -noout -text -in certs/TrustedRoot.crt # Creating the intermediate pair mkdir /etc/ssl/ca/intermediate cd /etc/ssl/ca/intermediate mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial echo 1000 > /etc/ssl/ca/intermediate/crlnumber # Configuration file Edit https://paste.ee/p/uoVQW to your needs and copy it to /etc/ssl/ca/intermediate as openssl.cnf # Creating the intermediate key cd /etc/ssl/ca openssl genrsa -aes256 -out intermediate/private/HAProxy_Intermediate_CA.key 4096 chmod 400 intermediate/private/HAProxy_Intermediate_CA.key # Creating the intermediate certificate openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/HAProxy_Intermediate_CA.key -out intermediate/csr/HAProxy_Intermediate_CA.csr openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/HAProxy_Intermediate_CA.csr -out intermediate/certs/HAProxy_Intermediate_CA.crt chmod 444 intermediate/certs/HAProxy_Intermediate_CA.crt # Verify the intermediate certificate openssl x509 -noout -text -in intermediate/certs/HAProxy_Intermediate_CA.crt openssl verify -CAfile certs/TrustedRoot.crt intermediate/certs/HAProxy_Intermediate_CA.crt You should get: intermediate/certs/HAProxy_Intermediate_CA.crt: OK # Create chain of trust file cat intermediate/certs/HAProxy_Intermediate_CA.crt certs/TrustedRoot.crt > intermediate/certs/ca-chain.pem chmod 444 intermediate/certs/ca-chain.pem # Sign server and client certificates # Create a key Omit the -aes256 option to create a key without a password. openssl genrsa -aes256 -out intermediate/private/mail.example.com.key 2048 chmod 400 intermediate/private/mail.example.com.key # Create a certificate openssl req -config intermediate/openssl.cnf -key intermediate/private/mail.example.com.key -new -sha256 -out intermediate/csr/mail.example.com.csr When prompted for Common Name while creating a server certificate, use a FQDN. For clients certificates you can use whatever you want. Use the option server_cert when creating server certificates and usr_cert when creating users certificates. openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 3650 -notext -md sha256 -in intermediate/csr/mail.example.com.csr -out intermediate/certs/mail.example.com.crt chmod 444 intermediate/certs/mail.example.com.crt # Verify the certificate openssl x509 -noout -text -in intermediate/certs/mail.example.com.crt In the output the Issuer should be the intermediate certificate and the Subject should be the certificate itself. openssl verify -CAfile intermediate/certs/ca-chain.pem intermediate/certs/mail.example.com.crt You should get: intermediate/certs/mail.example.com.crt: OK # Create PEM file # Remove passphrase from private key openssl rsa -in intermediate/private/mail.example.com.key -out intermediate/private/mail.example.com-nopass.key cat intermediate/private/mail.example.com-nopass.key intermediate/certs/mail.example.com.crt intermediate/certs/HAProxy_Intermediate_CA.crt certs/TrustedRoot.crt | sudo tee intermediate/certs/mail.example.com.pem # Create PK12/PFX file after creating a suer certificate openssl pkcs12 -export -clcerts -in intermediate/certs/client.crt -inkey intermediate/private/client.key -out intermediate/certs/client.p12