Questions about signing an intermediate CA

Michael Leone turgon at
Wed Feb 12 18:59:23 UTC 2020

On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger <karl at> wrote:

> On 2/12/2020 11:32, Michael Leone wrote:
> So we are mostly a MS Windows shop. But I use a Linux openssl as my root
> CA. What I am planning on doing, is creating a Windows intermediate CA, and
> using that to sign all my internal requests. But before I do that, I have a
> couple of questions.
> I have the steps to install the certificate services in AD, and create an
> intermediate CA request. What I'm wondering is, do I sign that cert
> differently than any normal cert? I don't see why I would. I mean, the
> request should specify that it wants to be a CA, and so I should just be
> able to
> openssl ca -in <file> -out <file>
> and maybe the -extfile, to specify SANs.
> Am I correct in thinking that? I see many, many openssl examples, but
> they're all for creating an intermediate  CA using openssl, which I'm not
> doing. And the rest of the examples seem to be how to sign using the
> resulting intermediate CA cert itself, which again, is not what I will be
> doing .
> Any pointers appreciated. Thanks!
> You have to sign the intermediate with the root in order to maintain the
> chain of custody and certification.

Well, yes. Sorry if that wasn't clear. Yes, the only CA I have is the root,
so that is what I will be signing with. So what  I am asking, is the
signing command different for an intermediate CA than for a regular (I
guess the term is "End Entity") certificate?

(I already have the CA cert pushed out into the certificate stores of all
my domain members, so any new cert, issued by either the root or the
intermediate, will chain fully. (once I push out the intermediate cert to
all domain members).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list