+# Intermediate
+mkdir -p ./CA/{certs,crl,csr,newcerts,private}
+
+echo ## Create intermediate certificate
+openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
+ -subj "$INTERMEDIATE_CA_DN" \
+ -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem
+openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem
+
+# create index and serial
+touch ./CA/index.txt
+# (below is from openssl CA script)
+openssl x509 -in ./CA/cacert.pem -noout -next_serial -out ./CA/serial
+
+# Switch to intermediate CA
+export OPENSSL_CONF=./openssl.cnf
+export CATOP=./CA