-#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
-# -subj $SERVER_DN \
-# -keyout newkey.pem -passout pass:demo -out newcrt.pem
-
-# Self-signed server certificate
-#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
-# -name "jetty" -inkey newkey.pem -in newcrt.pem \
-# -certfile ./CA/cacert.pem \
-# -out server.p12
-
- # Convert PKCS12 keystore into a JKS keystore
-#keytool -importkeystore \
-# -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
-# -alias jetty -destkeystore server.jks -deststorepass changeit
-#rm -f server.p12
+echo ## Create intermediate certificate
+openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
+ -subj "$INTERMEDIATE_CA_DN" \
+ -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem
+openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem
+
+# create index and serial
+touch ./CA/index.txt
+# (below is from openssl CA script)
+openssl x509 -in ./CA/cacert.pem -noout -next_serial -out ./CA/serial