Questions about signing an intermediate CA

Michael Wojcik Michael.Wojcik at
Wed Feb 12 19:14:02 UTC 2020

> From: openssl-users [mailto:openssl-users-bounces at] On Behalf Of Michael Leone
> Sent: Wednesday, February 12, 2020 11:59

> ... the only CA I have is the root, so that is what I will be signing with.

This is incorrect. A CA is not a certificate. A CA is an organization or individual who controls one or more root certificates, and possibly one or more intermediate certificates.

Both root and intermediate certificates are CA certificates, in the sense that they should have the CA:TRUE basic constraint.

> So what I am asking, is the signing command different for an intermediate
> CA than for a regular (I guess the term is "End Entity") certificate?

Intermediate *certificate*, not "CA".

The command per se isn't necessarily different. What's different is what extensions are present in the certificate, per my other note.

> I already have the CA cert pushed out into the certificate stores of all
> my domain members, so any new cert, issued by either the root or the
> intermediate, will chain fully. (once I push out the intermediate cert to
> all domain members).

Note that servers should (CA/BF rules, and maybe PKIX? I don't remember for certain) send not just their entity certificate but the whole chain excepting the root. Having clients install the intermediate isn't a bad idea, and certainly has its use cases (e.g. user certificates for S/MIME), but servers are supposed to assume clients may not have anything more than the root.

Michael Wojcik

More information about the openssl-users mailing list