FIN: backwards compatibility with client/server changes

src/pki_bootstrap/pki_bootstrap.sh

@@ -129,7 +129,7 @@ gen_lc_ca_i() {
   cd $FQ_DIR_LC
   # generate new CA-I
   ca-i_gen_pki $ORG_URL 1001 2
-  ca-i_gen_pki $ORG_URL 2001 5
+  # ca-i_gen_pki $ORG_URL 2001 5
   # ca-i_gen_pki $ORG_URL 3001 8
 }
 

src/pki_bootstrap/res/cnf/vpn.backchannel.es.cnf

@@ -0,0 +1,55 @@
+#
+#
+#  IMPORTANT INFO
+#
+#
+[ v3_server ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "ACME Corp"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+#subjectAltName = IP:192.168.123.129
+
+[ alt_names ]
+DNS.1 = "vpn.backchannel.es"
+
+#
+#
+# FORCED TO INCLUDE THIS JUNK
+#
+#
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+#x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = State51
+localityName_default            =
+0.organizationName_default      = ACME R&D
+organizationalUnitName_default  =
+emailAddress_default            =
+

src/pki_bootstrap/res/libs/gen_client.sh

@@ -4,7 +4,7 @@
 # 
 # 
 # This function will generate a Client cert
-# IN: UNIQ_ID_CA, SERIAL
+# IN: UNIQ_ID, SERIAL
 #
 
 # source this file to include the functions
@@ -21,7 +21,7 @@ usage() {
   echo
   echo
   echo "Generate a new certificate"
-  echo "  usage:   gen_client.sh  <CA Intermediate> <Org URL> <Serial>"
+  echo "  usage:   gen_client.sh  <Org URL> <Serial #>"
   echo
   echo "  example: gen_client.sh  skunkworks.acme.xyz \\"
   echo "                          10052 \\"
@@ -29,21 +29,18 @@ usage() {
   exit 1
 }
 
-error_no_ca_file() {
-  echo_block "ERROR: missing ca-i.pem"
-  usage
-}
-
 
 main() {
-  if [[ ! -f ca-i.pem ]]; then
-    error_no_ca_file
+  if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
+    echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
+    usage
   fi
-  if [[ ! -f SERIAL ]]; then
-    error_no_serial
+  if [[ ! -f cfg/SERIAL ]]; then
+    echo_block "ERROR: file cfg/SERIAL is missing"
+    usage
   fi
 
-  if [[ -n $PARAM1 ]] || [[ -n $PARAM2 ]]; then
+  if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
     gen_client $PARAM1 $PARAM2
   else
     usage

src/pki_bootstrap/res/libs/gen_server.sh

@@ -1,62 +1,54 @@
 #!/bin/bash
 #
-# Create CA Intermediate
+# Create Server Certificates
 # 
 # 
-# This function will generate a CA Intermediate
-# IN: UNIQ_ID_CA, SERIAL
+# This function will generate a Server cert
+# IN: UNIQ_ID, SERIAL
 #
+
+# source this file to include the functions
+. cfg/pki_funcs.sh
+
 PARAM1=$1
 PARAM2=$2
+PARAM3=$3
+
 
 usage() {
   echo
-  echo "Generate a new certificate"
+  echo "Generate a new Server certificate"
   echo
-  echo "This program will generate a new certificate authority intermediate"
-  echo "Requires the file ca-i.pem that is used to sign the certificates"
-  echo "The script requires a CA Intermediate certificate used to sign the client"
-  echo ""
-  echo ""
-  echo ""
   echo
   echo "Generate a new certificate"
-  echo "  usage:   gen_server.sh  <CA Intermediate> <Org URL> <Serial>"
+  echo "  usage:   gen_server.sh  <Org URL> <Serial #>"
   echo
-  echo "  example: gen_server.sh  ca_i_skunkworks.acme.xyz_10001.crt.pem \\"
-  echo "                          skunkworks.acme.xyz \\"
+  echo "  example: gen_server.sh  skunkworks.acme.xyz \\"
   echo "                          10052 \\"
   echo
   exit 1
 }
 
-#
-# Generate a Server Certificate
-# IN: ${SERIAL}, ${UNIQ_ID}
-#
-generate_server() {
-  openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
 
-  openssl req -new -config $FQ_S_CNF -key "server_${UNIQ_ID}.keys.pem" \
-              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-              -out "server_${UNIQ_ID}.csr.pem"
+main() {
+  if [[ ! -f cfg/ca-i.crt.pem ]] || [[ ! -f cfg/ca-i.keys.pem ]]; then
+    echo_block "ERROR: file cfg/ca-i.crt.pem cfg/ca-i.keys.pem is missing"
+    usage
+  fi
+  if [[ ! -f cfg/SERIAL ]]; then
+    echo_block "ERROR: file cfg/SERIAL is missing"
+    usage
+  fi
+  if [[ ! -f "cfg/$PARAM1.cnf" ]]; then
+    echo_block "ERROR: file  cfg/$PARAM1.cnf  is missing"
+    usage
+  fi
 
-  # Intermediate signs Server
-  openssl x509 -req -days 365 -extfile $FQ_S_CNF -extensions v3_server \
-               -CA "ca_i_${UNIQ_ID_CA}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CA}.keys.pem" -set_serial ${SERIAL} \
-               -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
-
-  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" 
-}
-
-# if all argument strings are empty, then continue execution
-if [[ -n $1 ]] && [[ -n $2 ]] && [[ -n $3 ]]; then
-	UNIQ_ID_CA=$1
-	ORG_URL=$2
-	SERIAL=$3
-	UNIQ_ID="${ORG_URL}_${SERIAL}"
-	generate_server
+  if [[ -n $PARAM1 ]] && [[ -n $PARAM2 ]]; then
+    gen_server $PARAM1 $PARAM2
   else
     usage
   fi
+}
+
+main

src/pki_bootstrap/res/libs/pki_funcs.sh

@@ -72,60 +72,73 @@ gen_ca() {
 # Create CA Intermediate PKI
 # 
 # 
+
 #
-# INPUT:  SERIAL #, LOOP NUM
+# Generate a PKI chain
+#   - the certificate chain is unique based on the serial #
+#   - generate a new CA I
+#   - generate server certificates
+#   - generate client certificates
+#
+# INPUT:  BASE SERIAL #, LOOP NUM
+# 
+# Requires: FQ_CA_CERT, FQ_CA_KEYS
 # 
 ca-i_gen_pki() {
-  # organization
   CDD=`pwd`
   ORG_URL=$1
-  SERIAL=$2
-  LOOP_NUM=$3
+  SERIAL_O=$2
+  NUM_CERTS=$(($3-1))
 
-  UNIQ_DIR_CA="ca_i_${SERIAL}.${ORG_URL}"
-  mkdir -p "distribution/${UNIQ_DIR_CA}"
-  cd "distribution/${UNIQ_DIR_CA}"
+  # create unique directory
+  UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}" 
+  mkdir -p "distribution/ca_i_${UNIQ_ID_CAI}"
+  cd "distribution/ca_i_${UNIQ_ID_CAI}"
 
-  # geneate certificates, organize the files
-  ca-i_gen_pki_certs $ORG_URL $SERIAL $LOOP_NUM
-  ca-i_organize
-  ca-i_cp_docs
+  # Create CA Intermediate
+  ca-i_gen_cert $ORG_URL $SERIAL_O
+
+  # create directories, copy files, before generating client/server
+  ca-i_create_shell
+
+  __ca-i_gen_client
+
+  __ca-i_gen_server
 
   # return to last path
   cd $CDD
 }
 
 # 
-# Generate a PKI chain
-#   - the certificate chain is unique based on the serial #
-#   - generate a new CA I
-#   - generate two server certificates
-#   - generate two client certificates
-#
-# INPUT:  BASE SERIAL #, LOOP NUM
-# 
-# Requires: FQ_CA_CERT, FQ_CA_KEYS
-# 
-ca-i_gen_pki_certs() {
-  ORG_URL=$1
-  SERIAL_O=$2
-  NUM_CERTS=$(($3-1))
-
-  # Create CA Intermediate
-  UNIQ_ID_CAI="${SERIAL_O}.${ORG_URL}" 
-  ca-i_gen_cert $UNIQ_ID_CAI $SERIAL_O
-
-  # Server Certificates
-  for NUM in $(seq 0 $NUM_CERTS)
-  do
-    gen_server $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM))
-  done
-
 # Client Certificates
+# 
+__ca-i_gen_client() {
+  # create directories
+  mkdir -p clients/data
+  mkdir -p clients/distro
+  mkdir -p clients/docs
+  cd clients
   for NUM in $(seq 0 $NUM_CERTS)
   do
-    gen_client $ORG_URL $UNIQ_ID_CAI $((SERIAL_O+NUM))
+    gen_client $ORG_URL $((SERIAL_O+NUM))
   done
+  cd ..
+}
+
+# 
+# Server Certificates
+# 
+__ca-i_gen_server() {
+  # create directories
+  mkdir -p servers/data
+  mkdir -p servers/distro
+  mkdir -p servers/docs
+  cd servers
+  for NUM in $(seq 0 $NUM_CERTS)
+  do
+    gen_server $ORG_URL $((SERIAL_O+NUM))
+  done
+  cd ..
 }
 
 # This function will generate a CA Intermediate
@@ -135,133 +148,83 @@ ca-i_gen_pki_certs() {
 # IN: UNIQ_ID_CA, SERIAL
 #
 ca-i_gen_cert() {
-  UNIQ_ID_CAI=$1
+  ORG_URL=$1 
   SERIAL=$2
 
-  echo_block "Create CA Intermediate  (${UNIQ_ID_CAI})"
+  UNIQ_ID="${SERIAL}.${ORG_URL}"
 
-  openssl genrsa -out "ca_i_${UNIQ_ID_CAI}.keys.pem" 4096
+  echo_block "Create CA Intermediate  (${UNIQ_ID})"
+
+  openssl genrsa -out "ca_i_${UNIQ_ID}.keys.pem" 4096
 
   # Create Cert Signing Request (CSR)
   openssl req -config "${CNF_PATH}/ca.cnf" -new -sha256 \
-              -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID_CAI}" \
-              -key "ca_i_${UNIQ_ID_CAI}.keys.pem" -out "ca_i_${UNIQ_ID_CAI}.csr.pem"
+              -subj "/C=OO/O=ACME/OU=ACME Intermediate/CN=${UNIQ_ID}" \
+              -key "ca_i_${UNIQ_ID}.keys.pem" -out "ca_i_${UNIQ_ID}.csr.pem"
 
   # Create Certificate   (valid for ~2 years, after the entire chain of trust expires)
   # CA signs Intermediate
   openssl x509 -req -days 750 -extfile "${CNF_PATH}/ca.cnf" -extensions v3_ca_i \
                -CA $FQ_CA_CERT -CAkey $FQ_CA_KEYS -set_serial ${SERIAL} \
-               -in "ca_i_${UNIQ_ID_CAI}.csr.pem" -out "ca_i_${UNIQ_ID_CAI}.crt.pem"
+               -in "ca_i_${UNIQ_ID}.csr.pem" -out "ca_i_${UNIQ_ID}.crt.pem"
 
   # Package the Certificate Authority Certificates for distro  (windoze needs this)
-  openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID_CAI}.keys.pem" \
+  openssl pkcs12 -export -password "pass:password" -inkey "ca_i_${UNIQ_ID}.keys.pem" \
                  -name "CA Intermediate Mobile Provision" -certfile $FQ_CA_CERT \
-                 -in "ca_i_${UNIQ_ID_CAI}.crt.pem" -out "ca_i_${UNIQ_ID_CAI}.p12"
+                 -in "ca_i_${UNIQ_ID}.crt.pem" -out "ca_i_${UNIQ_ID}.p12"
 
   # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_i_${UNIQ_ID_CAI}.crt.info.txt"
+  openssl x509 -noout -text -in "ca_i_${UNIQ_ID}.crt.pem" > "ca_i_${UNIQ_ID}.crt.info.txt"
 
   # create certifiate chain
-  cat $FQ_CA_CERT "ca_i_${UNIQ_ID_CAI}.crt.pem" > "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem"
-}
-
-#
-# Organize the generated crypto files into logical folders
-#
-ca-i_organize() {
-  # organize the client directory
-  mkdir -p clients/cfg
-  mkdir -p clients/data
-  mkdir -p clients/distro
-  mkdir -p clients/docs
-  mv client*.pem clients/data/
-  mv client*.p12 clients/distro/
-  mv client*.info.txt clients/docs/
-  cp ca_i*.crt.pem clients/cfg/ca_i.crt.pem
-  cp ca_i*.keys.pem clients/cfg/ca_i.keys.pem
-
-  # organize the server directory
-  mkdir -p servers/cfg
-  mkdir -p servers/data
-  mkdir -p servers/distro
-  mkdir -p servers/docs
-  mv server_*.pem servers/data/
-  mv server_*.p12 servers/distro/
-  mv server_*.info.txt servers/docs/
-  cp ca_i*.crt.pem servers/cfg/ca_i.crt.pem
-  cp ca_i*.keys.pem servers/cfg/ca_i.keys.pem
-
-  # organize the ca-i directory
-  # order matters:  move these files last because they were copied above
-  mkdir -p ca-i/data
-  mkdir -p ca-i/docs
-  mkdir -p ca-i/distro
-  mv ca_i*.pem ca-i/data/
-  mv ca_i*.info.txt ca-i/docs/
-  mv ca_i*.p12 ca-i/distro
-  mv ca_cert-chain*.pem ca-i/distro
+  cat $FQ_CA_CERT "ca_i_${UNIQ_ID}.crt.pem" > "ca_cert-chain_${UNIQ_ID}.crts.pem"
 }
 
 #
 # Copies all applcations to the Lifecycle package
+#   organize the ca-i directory
+#   order matters:  move these files last because they were copied above
 #
-# Requires: 
-#   UNIQ_DIR_LC  : unique string for the Lifecycle directory
-#   UNIQ_ID_CAI : unique string for the CA-I
-#
-ca-i_cp_docs() {
+ca-i_create_shell() {
+
   DEST_DIR="${CDD}/distribution/ca_i_${UNIQ_ID_CAI}"
 
-  # CA-I
-  cp $CDD/res/docs/README_CAI  $DEST_DIR/README
-  cp $CDD/ca_*/ca_*.crt.pem   $DEST_DIR/ca-i/data/
-  cp $CDD/ca_*/ca_*.info.txt  $DEST_DIR/ca-i/docs/
-
   # client
+  mkdir -p clients/cfg
   cp $CDD/res/libs/gen_client.sh  $DEST_DIR/clients/
   cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/clients/cfg
   cp $CDD/res/docs/README_C       $DEST_DIR/clients/README
   cp $CDD/res/docs/SERIAL         $DEST_DIR/clients/cfg/
   cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/clients/cfg/
+  # generated files
+  cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/clients/cfg/ca-i.crt.pem
+  cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/clients/cfg/ca-i.keys.pem
+  cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/clients/cfg/ca_cert-chain.crts.pem
 
   # server
+  mkdir -p servers/cfg
   cp $CDD/res/libs/gen_server.sh  $DEST_DIR/servers/
   cp $CDD/res/libs/pki_funcs.sh   $DEST_DIR/servers/cfg/
   cp $CDD/res/docs/README_S       $DEST_DIR/servers/README
   cp $CDD/res/docs/SERIAL         $DEST_DIR/servers/cfg/
   cp "${CDD}/cfg/${ORG_URL}.cnf"  $DEST_DIR/servers/cfg/
-}
+  # generated files
+  cp $DEST_DIR/ca_i*.crt.pem      $DEST_DIR/servers/cfg/ca-i.crt.pem
+  cp $DEST_DIR/ca_i*.keys.pem     $DEST_DIR/servers/cfg/ca-i.keys.pem
+  cp $DEST_DIR/ca_cert-chain*.pem $DEST_DIR/servers/cfg/ca_cert-chain.crts.pem
 
-#
-# Generate a Server Certificate
-# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
-#
-gen_server() {
-  ORG_URL=$1 
-  UNIQ_ID_CAI=$2
-  SERIAL=$3
-
-  UNIQ_ID="${SERIAL}.${ORG_URL}"
-  echo_block "Generate Server Certificates  (${UNIQ_ID})"
-
-  openssl genrsa -out "server_${UNIQ_ID}.keys.pem" 4096
-
-  openssl req -new -config $CNF_PATH/${ORG_URL}.cnf -key "server_${UNIQ_ID}.keys.pem" \
-              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
-              -out "server_${UNIQ_ID}.csr.pem"
-
-  # CA Intermediate signs Server
-  openssl x509 -req -days 365 -extfile $CNF_PATH/${ORG_URL}.cnf -extensions v3_server \
-               -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
-               -in "server_${UNIQ_ID}.csr.pem" -out "server_${UNIQ_ID}.crt.pem"
-
-  # Package the Certificates
-  openssl pkcs12 -export -password "pass:password" -inkey "server_${UNIQ_ID}.keys.pem" \
-                 -name "Server ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "server_${UNIQ_ID}@acme.xyz" \
-                 -in "server_${UNIQ_ID}.crt.pem" -out "server_${UNIQ_ID}.p12"
-
-  # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "server_${UNIQ_ID}.crt.pem" > "server_${UNIQ_ID}.crt.info.txt" 
+  # CA-I
+  mkdir -p ca-i/data
+  mkdir -p ca-i/docs
+  mkdir -p ca-i/distro
+  cp $CDD/res/docs/README_CAI       $DEST_DIR/README
+  cp $CDD/ca_*/ca_*.crt.pem         $DEST_DIR/ca-i/data/
+  cp $CDD/ca_*/ca_*.info.txt        $DEST_DIR/ca-i/docs/
+  # generated files
+  mv $DEST_DIR/ca_i*.pem            $DEST_DIR/ca-i/data/
+  mv $DEST_DIR/ca_i*.info.txt       $DEST_DIR/ca-i/docs/
+  mv $DEST_DIR/ca_i*.p12            $DEST_DIR/ca-i/distro
+  mv $DEST_DIR/ca_cert-chain*.pem   $DEST_DIR/ca-i/distro
 }
 
 #
@@ -270,33 +233,62 @@ gen_server() {
 #
 gen_client() {
   ORG_URL=$1 
-  UNIQ_ID_CAI=$2
-  SERIAL=$3
+  SERIAL=$2
 
   UNIQ_ID="${SERIAL}.${ORG_URL}"
+  CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
 
   echo_block "Generate Client Certificates  (${UNIQ_ID})"
 
-  openssl genrsa -out "client_${UNIQ_ID}.keys.pem" 4096
+  openssl genrsa -out "data/client_${UNIQ_ID}.keys.pem" 4096
 
-  openssl req -new -key "client_${UNIQ_ID}.keys.pem" \
+  openssl req -new -key "data/client_${UNIQ_ID}.keys.pem" \
               -subj "/C=OO/O=ACME/OU=ACME Standard/CN=client_${UNIQ_ID}" \
-              -out "client_${UNIQ_ID}.csr.pem"
+              -out "data/client_${UNIQ_ID}.csr.pem"
   # CA Intermediate signs Client
   openssl x509 -req -days 365 \
-               -CA "ca_i_${UNIQ_ID_CAI}.crt.pem" -CAkey "ca_i_${UNIQ_ID_CAI}.keys.pem" -set_serial ${SERIAL} \
-               -in "client_${UNIQ_ID}.csr.pem" -out "client_${UNIQ_ID}.crt.pem"
+               -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
+               -in "data/client_${UNIQ_ID}.csr.pem" -out "data/client_${UNIQ_ID}.crt.pem"
 
   # Package the Certificates
-  openssl pkcs12 -export -password "pass:password" -inkey "client_${UNIQ_ID}.keys.pem" \
-                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile "ca_cert-chain_${UNIQ_ID_CAI}.crts.pem" -caname "client_${UNIQ_ID}@acme.xyz" \
-                 -in "client_${UNIQ_ID}.crt.pem" -out "client_${UNIQ_ID}.p12"
+  openssl pkcs12 -export -password "pass:password" -inkey "data/client_${UNIQ_ID}.keys.pem" \
+                 -name "Client ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "client_${UNIQ_ID}@acme.xyz" \
+                 -in "data/client_${UNIQ_ID}.crt.pem" -out "distro/client_${UNIQ_ID}.p12"
 
   # verify certificate (output to text file for review)
-  openssl x509 -noout -text -in "client_${UNIQ_ID}.crt.pem" > "client_${UNIQ_ID}.info.txt"
+  openssl x509 -noout -text -in "data/client_${UNIQ_ID}.crt.pem" > "docs/client_${UNIQ_ID}.info.txt"
 }
 
 #
-# give some info if someone tries to execute this
-# echo_block "this script file has only helper functions"
+# Generate a Server Certificate
+# IN: UNIQ_ID, UNIQ_ID_CA, SERIAL
+#
+gen_server() {
+  ORG_URL=$1 
+  SERIAL=$2
+
+  UNIQ_ID="${SERIAL}.${ORG_URL}"
+  CERT_CHAIN="cfg/ca_cert-chain.crts.pem"
+
+  echo_block "Generate Server Certificates  (${UNIQ_ID})"
+
+  openssl genrsa -out "data/server_${UNIQ_ID}.keys.pem" 4096
+
+  openssl req -new -config "cfg/${ORG_URL}.cnf" -key "data/server_${UNIQ_ID}.keys.pem" \
+              -subj "/C=OO/O=ACME/OU=ACME Standard/CN=${UNIQ_ID}" \
+              -out "data/server_${UNIQ_ID}.csr.pem"
+
+  # CA Intermediate signs Server
+  openssl x509 -req -days 365 -extfile "cfg/${ORG_URL}.cnf" -extensions v3_server \
+               -CA "cfg/ca-i.crt.pem" -CAkey "cfg/ca-i.keys.pem" -set_serial ${SERIAL} \
+               -in "data/server_${UNIQ_ID}.csr.pem" -out "data/server_${UNIQ_ID}.crt.pem"
+
+  # Package the Certificates
+  openssl pkcs12 -export -password "pass:password" -inkey "data/server_${UNIQ_ID}.keys.pem" \
+                 -name "Server ${UNIQ_ID} VPN Certificate" -certfile $CERT_CHAIN -caname "server_${UNIQ_ID}@acme.xyz" \
+                 -in "data/server_${UNIQ_ID}.crt.pem" -out "distro/server_${UNIQ_ID}.p12"
+
+  # verify certificate (output to text file for review)
+  openssl x509 -noout -text -in "data/server_${UNIQ_ID}.crt.pem" > "docs/server_${UNIQ_ID}.crt.info.txt" 
+}