sudo mkdir -p /root/ca/{certs,crl,csr,newcerts,private}
sudo setfacl -d -m u::rx -m g::- -m o::- /root/ca/private
sudo setfacl -d -m u::rx -m g::rx -m o::rx /root/ca/certs
sudo chmod 700 /root/ca/private
sudo touch /root/ca/index.txt
sudo tee /root/ca/serial <<< 1000