<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 2/12/2020 12:59, Michael Leone
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAHBr++irhdQS4HT-jyE19PJ2bajsxwmxB0E=ztqaZF3g0-XiEA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Feb 12, 2020 at 1:24
PM Karl Denninger <<a href="mailto:karl@denninger.net"
moz-do-not-send="true">karl@denninger.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div>On 2/12/2020 11:32, Michael Leone wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">So we are mostly a MS Windows shop. But I
use a Linux openssl as my root CA. What I am planning
on doing, is creating a Windows intermediate CA, and
using that to sign all my internal requests. But
before I do that, I have a couple of questions.
<div><br>
</div>
<div>I have the steps to install the certificate
services in AD, and create an intermediate CA
request. What I'm wondering is, do I sign that cert
differently than any normal cert? I don't see why I
would. I mean, the request should specify that it
wants to be a CA, and so I should just be able to </div>
<div><br>
</div>
<div>openssl ca -in <file> -out <file></div>
<div><br>
</div>
<div>and maybe the -extfile, to specify SANs.</div>
<div><br>
</div>
<div>Am I correct in thinking that? I see many, many
openssl examples, but they're all for creating an
intermediate CA using openssl, which I'm not doing.
And the rest of the examples seem to be how to sign
using the resulting intermediate CA cert itself,
which again, is not what I will be doing .</div>
<div><br>
</div>
<div>Any pointers appreciated. Thanks!</div>
<div><br clear="all">
</div>
</div>
</blockquote>
<p>You have to sign the intermediate with the root in
order to maintain the chain of custody and
certification.<br>
</p>
</div>
</blockquote>
<div><br>
</div>
<div>Well, yes. Sorry if that wasn't clear. Yes, the only CA I
have is the root, so that is what I will be signing with. So
what I am asking, is the signing command different for an
intermediate CA than for a regular (I guess the term is "End
Entity") certificate?</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<p>No, other than specifying the signing certificate to be used
(e.g. the root CA) -- the certificate ITSELF, however, is
different than an end-entity certificate. The EKU constraints
should be correct (e.g. chain length, etc) and "CA:true" has to be
set for it (and must NOT be set on an end-entity certificate.) I
have no clue what Microsoft does or doesn't do with their
certificate management stuff; I use OpenSSL to do it.<br>
</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font></div>
</body>
</html>