Questions about signing an intermediate CA

Karl Denninger karl at
Wed Feb 12 20:31:34 UTC 2020

On 2/12/2020 12:59, Michael Leone wrote:
> On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger <karl at
> <mailto:karl at>> wrote:
>     On 2/12/2020 11:32, Michael Leone wrote:
>>     So we are mostly a MS Windows shop. But I use a Linux openssl as
>>     my root CA. What I am planning on doing, is creating a Windows
>>     intermediate CA, and using that to sign all my internal requests.
>>     But before I do that, I have a couple of questions.
>>     I have the steps to install the certificate services in AD, and
>>     create an intermediate CA request. What I'm wondering is, do I
>>     sign that cert differently than any normal cert? I don't see why
>>     I would. I mean, the request should specify that it wants to be a
>>     CA, and so I should just be able to 
>>     openssl ca -in <file> -out <file>
>>     and maybe the -extfile, to specify SANs.
>>     Am I correct in thinking that? I see many, many openssl examples,
>>     but they're all for creating an intermediate  CA using openssl,
>>     which I'm not doing. And the rest of the examples seem to be how
>>     to sign using the resulting intermediate CA cert itself, which
>>     again, is not what I will be doing .
>>     Any pointers appreciated. Thanks!
>     You have to sign the intermediate with the root in order to
>     maintain the chain of custody and certification.
> Well, yes. Sorry if that wasn't clear. Yes, the only CA I have is the
> root, so that is what I will be signing with. So what  I am asking, is
> the signing command different for an intermediate CA than for a
> regular (I guess the term is "End Entity") certificate?
No, other than specifying the signing certificate to be used (e.g. the
root CA) -- the certificate ITSELF, however, is different than an
end-entity certificate.  The EKU constraints should be correct (e.g.
chain length, etc) and "CA:true" has to be set for it (and must NOT be
set on an end-entity certificate.)  I have no clue what Microsoft does
or doesn't do with their certificate management stuff; I use OpenSSL to
do it.

Karl Denninger
karl at <mailto:karl at>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssl-users mailing list