+cat <<TESTCA > test_reqClient.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
+cat <<TESTCA > test_reqMail.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=emailProtection
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
+
+genca(){ #subj, internalName
+
+ openssl genrsa -out $2.key ${KEYSIZE}
+ openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
+
+ mkdir $2.ca
+ mkdir $2.ca/newcerts
+ echo 01 > $2.ca/serial
+ touch $2.ca/db
+ echo unique_subject = no >$2.ca/db.attr
+
+}
+
+caSign(){ # key,ca,config
+ cd $2.ca
+ openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
+ cd ..
+}
+
+rootSign(){ # key
+ caSign $1 root test_subca.cnf
+}
+
+genserver(){ #key, subject, config
+ openssl genrsa -out $1.key ${KEYSIZE}
+ openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
+ caSign $1 env "$3"
+
+ openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
+
+ keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "$PRIVATEPW"