I'm ultimately attempting to get a PHP CAS client (zend server 8 with apache) to trust a CAS server (tomcat 7), and to that end have gone as far as to gin up my own private key infrastructure, here seen with password replaced with buttocks:
PKI GEN
#root key
openssl genrsa -out rootCA.key -aes256 -passout pass:butts 4096
openssl req -x509 -new -key rootCA.key -out rootCA.crt -subj '/C=US/O=World Domination/CN=WorldDom Root CA' -days 3650 -sha256 -passin pass:butts
#intermdiate key
openssl genrsa -out intermediateCA.key -aes256 -passout pass:butts 4096
openssl req -new -key intermediateCA.key -out intermediateCA.csr -subj '/C=US/O=<orgname>/CN=<orgname> Intermediate CA' -passin pass:butts
#X509V3 extension config file
cat <<EOF > v3_ca.ext
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
EOF
#sign intermediate with root key & X509V3 extensions
openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -CAserial rootCA.srl -extfile v3_ca.ext -out intermediateCA.crt -days 365 -sha256 -passin pass:butts
#works at this stage
openssl verify -CAfile rootCA.crt intermediateCA.crt
openssl x509 -in intermediateCA.crt -text
#server
openssl genrsa -out server.key -aes256 -passout pass:butts 4096
openssl req -new -key server.key -out server.csr -subj '/C=US/O=<orgDiv>/CN=CASsrv' -passin pass:butts
openssl x509 -req -in server.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial intermediateCA.srl -out server.crt -days 365 -sha256 -passin pass:butts
#decrypt for web server use
mv server.key server.key.secure
openssl rsa -in server.key.secure -out server.key -passin pass:butts
#client
openssl genrsa -out client.key -aes256 -passout pass:butts 4096
openssl req -new -key client.key -out client.csr -subj '/C=US/O=<orgSubDiv>/CN=ZServer/emailAddress=test@example.com' -passin pass:butts
openssl x509 -req -in client.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial intermediateCA.srl -out client.crt -days 365 -sha256 -passin pass:butts
cat intermediateCA.crt rootCA.crt > CAchain.pem
openssl pkcs12 -export -passout pass:butts -in client.crt -inkey client.key -certfile CAchain.pem -out client.p12 -passin pass:butts
#works here too
openssl verify -CAfile CAchain.pem server.crt (or client.crt)
openssl x509 -in server.crt -text
Now CAchain.pem, server.crt & server.key files can be used in Apache HTTP Server, for example, to enable HTTPS. rootCA.crt certificate should be imported to the trusted authorities in browser or mail client.
Ostensibly rootCA.crt certificate should be imported to the trusted authorities in browser or mail client. This too is a strange journey:
rootCA import
sudo cp rootCA.crt /etc/ssl/certs/worldDomCA.crt
#symlink named after its hash.4, hash result is same after rename so I used the local version rather than the renamed etc/ssl version
sudo ln -s /etc/ssl/certs/worldDomCA.crt /etc/ssl/certs/'openssl x509 -hash -noout -in rootCA.crt'.4
#this just hangs, disturbingly
openssl verify -CApath /etc/ssl/certs/worldDomCA.crt
Admittedly, I'm not sure where even to put the CAchain & server cert files, but more notably s_client complains that the cert's still self-signed somehow, instead of just hanging like verify. Judging from the subject & issuer lines
subject=/C=US/ST=test/L=test/O=test/OU=test/CN=servername.domain.int
issuer=/C=US/ST=test/L=test/O=test/OU=test/CN=servername.domain.int
the certs include the DN of the box on which they where forged. Could I get away with this if I made my CAs on another box, then brought it in & used it to sign my server/client certs? Notably both servers are running on the same box, since this whole mess is still under exploratory evaluation.