diff --git a/ca1/index.txt b/ca1/index.txt
new file mode 100644
index 0000000..e69de29
diff --git a/ca1/openssl.conf b/ca1/openssl.conf
new file mode 100644
index 0000000..5c0f92d
--- /dev/null
+++ b/ca1/openssl.conf
@@ -0,0 +1,84 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = /mnt/d/cert/ca1 # папка промежуточного цс
+certs             = $dir/pub
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/priv/.rand
+
+private_key       = $dir/priv/ca1.key
+certificate       = $dir/pub/ca1.crt
+
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+unique_subject = no
+
+
+[ policy_loose ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+organizationName                = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# значения по-умолчанию
+countryName_default             = RU
+stateOrProvinceName_default     = Russia
+localityName_default            = Russia
+organizationName_default        = MyHomeLab1
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName=${ENV::SAN}
diff --git a/ca1/serial b/ca1/serial
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/ca1/serial
@@ -0,0 +1 @@
+1000
diff --git a/ca_root/index.txt b/ca_root/index.txt
new file mode 100644
index 0000000..e69de29
diff --git a/ca_root/openssl.conf b/ca_root/openssl.conf
new file mode 100644
index 0000000..d32cee1
--- /dev/null
+++ b/ca_root/openssl.conf
@@ -0,0 +1,63 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir               = /mnt/d/cert/ca_root #папка с нашим УЦ
+certs             = $dir/priv
+#crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/priv/.rand
+#подписывающие серты
+private_key       = $dir/priv/ca.key
+certificate       = $dir/pub/ca.crt
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+organizationName                = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# дефолтные значения
+countryName_default             = RU
+stateOrProvinceName_default     = Russia
+localityName_default            = Russia
+organizationName_default       = MyHomeLab
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
diff --git a/ca_root/serial b/ca_root/serial
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/ca_root/serial
@@ -0,0 +1 @@
+1000