Questions about signing an intermediate CA

Karl Denninger karl at denninger.net
Wed Feb 12 18:18:13 UTC 2020 

On 2/12/2020 11:32, Michael Leone wrote:
> So we are mostly a MS Windows shop. But I use a Linux openssl as my
> root CA. What I am planning on doing, is creating a Windows
> intermediate CA, and using that to sign all my internal requests. But
> before I do that, I have a couple of questions.
>
> I have the steps to install the certificate services in AD, and create
> an intermediate CA request. What I'm wondering is, do I sign that cert
> differently than any normal cert? I don't see why I would. I mean, the
> request should specify that it wants to be a CA, and so I should just
> be able to 
>
> openssl ca -in <file> -out <file>
>
> and maybe the -extfile, to specify SANs.
>
> Am I correct in thinking that? I see many, many openssl examples, but
> they're all for creating an intermediate  CA using openssl, which I'm
> not doing. And the rest of the examples seem to be how to sign using
> the resulting intermediate CA cert itself, which again, is not what I
> will be doing .
>
> Any pointers appreciated. Thanks!
>
You have to sign the intermediate with the root in order to maintain the
chain of custody and certification.

That is, the chain of trust is Root->Intermediate->......-> End Entity

You can (of course) branch more than once; it is common to have more
than one Intermediate, for example, for different types of entity for
which different parts of an organization have responsibility, and you
can sub-delegate intermediates as well.

Just note that when an end entity certificate is validated the entire
chain back to the root of trust (which is self-signed) has to be able to
be verified.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200212/5770b47b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200212/5770b47b/attachment-0001.bin>

More information about the openssl-users mailing list