# Issue a Server Certificate

> Based on https://medium.com/@sureshchand.rhce/how-to-build-a-root-ca-intermediate-ca-with-openssl-eba1c73d1591

## Create server key
``` bash
openssl genpkey -algorithm RSA \
  -out exegol.swgalaxy.key.pem \
  -pkeyopt rsa_keygen_bits:2048
```

## Create CSR with SAN

Define a configuration file for the CSR `exegol.swgalaxy.cnf`:
```
[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[ req_distinguished_name ]
C = FR
ST = Yvelines
L = Le Vesinet
O = swgalaxy
OU = swgalaxy servers
CN = exegol.swgalaxy

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = exegol.swgalaxy
DNS.2 = exegol
```

Create thr CSR:

``` bash
openssl req -new -key exegol.swgalaxy.key.pem \
  -out exegol.swgalaxy.csr.pem \
  -config exegol.swgalaxy.cnf
```


## Sign with Intermediate CA

Update `server_cert` extension on **intermediate CA** configuration file `/app/pki/intermediate/openssl.cnf`:
```
[ server_cert ]
# Basic identity
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

# Server certificates must NOT be CA certificates
basicConstraints = critical, CA:FALSE

# Key usage: what the certificate is allowed to do
keyUsage = critical, digitalSignature, keyEncipherment

# Extended key usage: define this as a TLS server certificate
extendedKeyUsage = serverAuth

# Allow SANs (modern TLS requires SANs)
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = exegol.swgalaxy
DNS.2 = exegol
```

Sign the certificate with **intermediate CA**:

``` bash
openssl ca -config /app/pki/intermediate/openssl.cnf \
  -extensions server_cert \
  -days 3650 -notext -md sha256 \
  -in exegol.swgalaxy.csr.pem \
  -out /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem
```

## Verify the chain

``` bash
openssl verify \
  -CAfile /app/pki/intermediate/certs/ca-chain.cert.pem \
  /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem
```

## Verify the certificate

``` bash
openssl x509 -text -noout \
  -in /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem
```