Questions about signing an intermediate CA

Karl Denninger karl at
Wed Feb 12 18:18:13 UTC 2020

On 2/12/2020 11:32, Michael Leone wrote:
> So we are mostly a MS Windows shop. But I use a Linux openssl as my
> root CA. What I am planning on doing, is creating a Windows
> intermediate CA, and using that to sign all my internal requests. But
> before I do that, I have a couple of questions.
> I have the steps to install the certificate services in AD, and create
> an intermediate CA request. What I'm wondering is, do I sign that cert
> differently than any normal cert? I don't see why I would. I mean, the
> request should specify that it wants to be a CA, and so I should just
> be able to 
> openssl ca -in <file> -out <file>
> and maybe the -extfile, to specify SANs.
> Am I correct in thinking that? I see many, many openssl examples, but
> they're all for creating an intermediate  CA using openssl, which I'm
> not doing. And the rest of the examples seem to be how to sign using
> the resulting intermediate CA cert itself, which again, is not what I
> will be doing .
> Any pointers appreciated. Thanks!
You have to sign the intermediate with the root in order to maintain the
chain of custody and certification.

That is, the chain of trust is Root->Intermediate->......-> End Entity

You can (of course) branch more than once; it is common to have more
than one Intermediate, for example, for different types of entity for
which different parts of an organization have responsibility, and you
can sub-delegate intermediates as well.

Just note that when an end entity certificate is validated the entire
chain back to the root of trust (which is self-signed) has to be able to
be verified.

Karl Denninger
karl at <mailto:karl at>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssl-users mailing list