+ iname="example.$tld"
+ idir=$iname
+
+####
+ # create CAs & server certs
+ rm -fr "$idir"
+
+ # create CA cert + templates
+ # -D dir to work in
+ # -p passwd for cert
+ # -B keysize in bits
+ # -I create CA cert
+ # -N org name
+ # -F create sub-signing cert
+ # -C CRL
+ # -O create OCSP responder cert
+ # -3 Authority key ID extension
+ # -8 Subject Alternate Names
+
+ clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
+
+ # create server leaf certs
+ # -m <months>
+ clica $V -D $idir -p password -s 101 -S server1.$iname -m $diff_months \
+ -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
+ clica $V -D $idir -p password -s 102 -S revoked1.$iname -m $diff_months
+ clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
+
+ clica $V -D $idir -p password -s 201 -S server2.$iname -m $diff_months \
+ -3 "CN=clica CA rsa,O=example.$tld" -8 '*.test.ex'
+ clica $V -D $idir -p password -s 202 -S revoked2.$iname -m $diff_months
+ clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
+
+####
+
+ # openssl seems to generate a file (ca_chain.pam) in an order it
+ # cannot then use (the key applies to the first cert in the file?).
+ # Generate a shuffled one.
+ for n in 1 2
+ do
+ cd $idir/server$n.$iname
+ openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
+ cat server$n.$iname.pem cacerts.pem > fullchain.pem
+ rm cacerts.pem
+ cd ../..
+ done
+
+####
+
+ # generate unlocked keys and client cert bundles
+ for server in server1 revoked1 expired1 server2 revoked2 expired2
+ do
+ SDIR=$idir/$server.$iname
+ SPFX=$SDIR/$server.$iname
+ openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
+ cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
+ done
+
+####
+
+ # create OCSP reqs & resps
+ CADIR=$idir/CA
+