<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 2/12/2020 11:32, Michael Leone
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAHBr++i5G-f0YyHqDWM0xK1ZpsoY-ew+DFvEMR2eFpVH2qVi+w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">So we are mostly a MS Windows shop. But I use a
Linux openssl as my root CA. What I am planning on doing, is
creating a Windows intermediate CA, and using that to sign all
my internal requests. But before I do that, I have a couple of
questions.
<div><br>
</div>
<div>I have the steps to install the certificate services in AD,
and create an intermediate CA request. What I'm wondering is,
do I sign that cert differently than any normal cert? I don't
see why I would. I mean, the request should specify that it
wants to be a CA, and so I should just be able to </div>
<div><br>
</div>
<div>openssl ca -in <file> -out <file></div>
<div><br>
</div>
<div>and maybe the -extfile, to specify SANs.</div>
<div><br>
</div>
<div>Am I correct in thinking that? I see many, many openssl
examples, but they're all for creating an intermediate CA
using openssl, which I'm not doing. And the rest of the
examples seem to be how to sign using the resulting
intermediate CA cert itself, which again, is not what I will
be doing .</div>
<div><br>
</div>
<div>Any pointers appreciated. Thanks!</div>
<div><br clear="all">
</div>
</div>
</blockquote>
<p>You have to sign the intermediate with the root in order to
maintain the chain of custody and certification.<br>
</p>
<p>That is, the chain of trust is
Root->Intermediate->......-> End Entity</p>
<p>You can (of course) branch more than once; it is common to have
more than one Intermediate, for example, for different types of
entity for which different parts of an organization have
responsibility, and you can sub-delegate intermediates as well.</p>
<p>Just note that when an end entity certificate is validated the
entire chain back to the root of trust (which is self-signed) has
to be able to be verified.<br>
</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font></div>
</body>
</html>