Questions about signing an intermediate CA

Michael Leone turgon at
Wed Feb 12 17:32:04 UTC 2020

So we are mostly a MS Windows shop. But I use a Linux openssl as my root
CA. What I am planning on doing, is creating a Windows intermediate CA, and
using that to sign all my internal requests. But before I do that, I have a
couple of questions.

I have the steps to install the certificate services in AD, and create an
intermediate CA request. What I'm wondering is, do I sign that cert
differently than any normal cert? I don't see why I would. I mean, the
request should specify that it wants to be a CA, and so I should just be
able to

openssl ca -in <file> -out <file>

and maybe the -extfile, to specify SANs.

Am I correct in thinking that? I see many, many openssl examples, but
they're all for creating an intermediate  CA using openssl, which I'm not
doing. And the rest of the examples seem to be how to sign using the
resulting intermediate CA cert itself, which again, is not what I will be
doing .

Any pointers appreciated. Thanks!


Mike. Leone, <mailto:turgon at>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <>

This space reserved for future witticisms ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list