openssl genrsa -aes256 -out rootCA.key 4096
openssl req -new -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=ca.grif/emailAddress=contact@grifon.fr" -key rootCA.key -out rootCA.csr
openssl req -x509 -in rootCA.csr -key rootCA.key -sha512 -days 3650 -out rootCA.crt
openssl x509 -in rootCA.crt -noout -serial > rootCA.srl

Certif à importer : https://rda.grif/rootCA.crt

Script dispo ici /srv/internal_ca/generate_cert.sh :

#!/usr/bin/env bash
if [ "$#" -ne 1 ]; then
  echo "Usage: $0 DIRECTORY" >&2
  exit 1
fi

FQDN=$1

ROOT=$(pwd)
ROOT_CRT="${ROOT}/rootCA.crt"
ROOT_KEY="${ROOT}/rootCA.key"
ROOT_SRL="${ROOT}/rootCA.srl"
DEST_CERT="${ROOT}/services/${FQDN}"
VALIDATE="^([a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$"

if [ ! -d "${DEST_CERT}" ]; then
    mkdir -p ${DEST_CERT}
fi

if [[ "${FQDN}" =~ ${VALIDATE} ]]; then
    echo "Generate v3.ext_${FQDN}"
    echo "
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName         = DNS:${FQDN}
" > v3.ext_${FQDN}

    echo "Valid fqdn, generate certificate for ${FQDN}"
    openssl genrsa -out ${DEST_CERT}/${FQDN}.key 4096
    openssl req -new -key "${DEST_CERT}/${FQDN}.key" \
            -sha512 \
            -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=${FQDN}/emailAddress=contact@grifon.fr" \
            -out "${DEST_CERT}/${FQDN}.csr"
    openssl x509 -days 365 -req -sha512 -in "${DEST_CERT}/${FQDN}.csr" -out "${DEST_CERT}/${FQDN}.crt" -CA "${ROOT_CRT}" -CAkey "${ROOT_KEY}" -CAcreateserial -CAserial "${ROOT_SRL}" -extfile v3.ext_${FQDN}

    cat ${DEST_CERT}/${FQDN}.crt ${ROOT_CRT} > ${DEST_CERT}/${FQDN}.chained.crt

    rm v3.ext_${FQDN}
else
    echo "Not a valid fqdn!"
    exit 1
fi