+ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/"
+INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/"
+SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/
+USERS_BASE_DN=/DC=com/DC=example/OU=People
+
+echo -- Init directory structures
+mkdir -p ./rootCA/{certs,crl,csr,newcerts,private}
+mkdir -p ./CA/{certs,crl,csr,newcerts,private}
+
+#
+# Root CA
+#
+export OPENSSL_CONF=./openssl_root.cnf
+export CATOP=./rootCA
+echo -- Create root CA in $CATOP
+touch $CATOP/index.txt
+openssl req -new -newkey rsa:4096 -extensions v3_ca \
+ -subj "$ROOT_CA_DN" \
+ -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \
+ 2>/dev/null # quiet
+
+echo -- Create intermediate CA in ./CA
+openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
+ -subj "$INTERMEDIATE_CA_DN" \
+ -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \
+ 2>/dev/null # quiet
+
+#
+# Intermediate CA
+#