tls_docs/ca/intermediate_ca_config.md

# Create the Intermediate CA(s)

Now that there's a Root CA established, one or more Intermediate CA can be created. These CAs will be signing certificates on behalf of the Root CA, but ***WILL NOT*** create new CAs.

### Create and edit the intermediate CA configuration

Copy the [root.cnf](./root.cnf) to the Intermediate CA and change the name to *intermediate.cnf* (or whatever name desired to distinguish it from the root CA) on the Intermediate CA and change the policy section under the [CA_default] from `policy_strict` to `policy_loose` since the Intermediate CA isn't signing certificates for other CAs, it can have a less strict policy. 

### Create the Intermediate CA key (on Root CA)

```
openssl genrsa -aes256 -out private/intermediate-ca.key
chmod 400 private/intermediate-ca.key
```

### Create the certificate signing request (CSR) for the Intermediate CA using the intermediate.cnf configuration (on the Root CA)

```
openssl req -config intermediate.cnf -new -sha256 -key private/intermediate-ca.key -out csr/intermediate-ca.csr
```

### Sign the certificate using the root.cnf using the `v3_intermediate_ca` extension the paths are defined in the root.cnf so do not need to be explicitly defined in the command (on the Root CA)

```
openssl ca -config root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in csr/intermediate-ca.csr -out certs/intermidate-ca.crt
chmod 444 certs/intermediate-ca.crt
```

### Verify the certificate information and verify the trust chain (on the Root CA)

```
openssl x509 -noout -text -in certs/intermediate-ca.crt
openssl verify -CAfile certs/root-ca.crt certs/intermediate-ca.crt # should return certs/intermediate-ca.crt: OK
```

### Create the ca-bundle.crt (on the Root CA)

```
cat certs/intermediate-ca.crt certs/root-ca.crt > certs/ca-bundle.crt
```

Verify the chain order (the root CA should be last in the chain)

```
openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt | openssl pkcs7 -print_certs -text -noout
```


### Create an archive of the ca-bundle.crt intermediate-ca.crt, and intermediate-ca.crt transport to the Intermediate CA using your preferred transport method

```
tar cvzf intermediate-ca.tar.gz certs/ca-bundle.crt certs/intermediate-ca.crt private/intermediate-ca.key
```

### Create dirs, serial, and index for Intermediate CA on Intermediate CA (same dirs as the root but with a bundles dir)

```
mkdir -p /path/to/intermediate_ca/{bundles,certs,csr,crl,newcerts,private}
cd /path/to/intermediate_ca
chmod 700 private
```

### Create a CRL number on Intermediate CA (creating this for later use)

```
echo 1000 > /path/to/intermediate_ca/crlnumber
```

### Extract archive and move the ca-bundle.crt, intermediate-ca.crt, and intermediate-ca.key to their respective dirs (it may ask to override previous permissions. You can accept using y and reapply the permissions)
tar xvf intermediate-ca.tar.gz --strip-components 1
mv {ca-bundle-crt,intermediate.crt} certs/
mv intermediate-ca.key private/

Edit your *intermediate.cnf* to reflect the locations of your *intermediate.crt* and *intermediate.key* and the `dir` option just as was done for the Root CA earlier. The *intermediate.cnf* should look similar to [this](./intermediate.cnf)
initial commit 2025-11-07 03:44:26 +00:00			`# Create the Intermediate CA(s)`

			`Now that there's a Root CA established, one or more Intermediate CA can be created. These CAs will be signing certificates on behalf of the Root CA, but *WILL NOT* create new CAs.`

			`### Create and edit the intermediate CA configuration`

			Copy the [root.cnf](./root.cnf) to the Intermediate CA and change the name to intermediate.cnf (or whatever name desired to distinguish it from the root CA) on the Intermediate CA and change the policy section under the [CA_default] from `policy_strict` to `policy_loose` since the Intermediate CA isn't signing certificates for other CAs, it can have a less strict policy.

			`### Create the Intermediate CA key (on Root CA)`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`openssl genrsa -aes256 -out private/intermediate-ca.key`
			`chmod 400 private/intermediate-ca.key`
			```

			`### Create the certificate signing request (CSR) for the Intermediate CA using the intermediate.cnf configuration (on the Root CA)`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`openssl req -config intermediate.cnf -new -sha256 -key private/intermediate-ca.key -out csr/intermediate-ca.csr`
			```

			### Sign the certificate using the root.cnf using the `v3_intermediate_ca` extension the paths are defined in the root.cnf so do not need to be explicitly defined in the command (on the Root CA)
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`openssl ca -config root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in csr/intermediate-ca.csr -out certs/intermidate-ca.crt`
			`chmod 444 certs/intermediate-ca.crt`
			```

			`### Verify the certificate information and verify the trust chain (on the Root CA)`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`openssl x509 -noout -text -in certs/intermediate-ca.crt`
			`openssl verify -CAfile certs/root-ca.crt certs/intermediate-ca.crt # should return certs/intermediate-ca.crt: OK`
			```

			`### Create the ca-bundle.crt (on the Root CA)`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
corrections, edits, and additions 2026-04-10 03:28:56 +00:00			`cat certs/intermediate-ca.crt certs/root-ca.crt > certs/ca-bundle.crt`
initial commit 2025-11-07 03:44:26 +00:00			```

corrections, edits, and additions 2026-04-10 03:28:56 +00:00			`Verify the chain order (the root CA should be last in the chain)`

			```
			`openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt \| openssl pkcs7 -print_certs -text -noout`
			```


initial commit 2025-11-07 03:44:26 +00:00			`### Create an archive of the ca-bundle.crt intermediate-ca.crt, and intermediate-ca.crt transport to the Intermediate CA using your preferred transport method`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`tar cvzf intermediate-ca.tar.gz certs/ca-bundle.crt certs/intermediate-ca.crt private/intermediate-ca.key`
			```

			`### Create dirs, serial, and index for Intermediate CA on Intermediate CA (same dirs as the root but with a bundles dir)`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`mkdir -p /path/to/intermediate_ca/{bundles,certs,csr,crl,newcerts,private}`
			`cd /path/to/intermediate_ca`
			`chmod 700 private`
			```

			`### Create a CRL number on Intermediate CA (creating this for later use)`
corrections, edits, and additions 2026-04-10 03:28:56 +00:00
initial commit 2025-11-07 03:44:26 +00:00			```
			`echo 1000 > /path/to/intermediate_ca/crlnumber`
			```

			`### Extract archive and move the ca-bundle.crt, intermediate-ca.crt, and intermediate-ca.key to their respective dirs (it may ask to override previous permissions. You can accept using y and reapply the permissions)`
			`tar xvf intermediate-ca.tar.gz --strip-components 1`
			`mv {ca-bundle-crt,intermediate.crt} certs/`
			`mv intermediate-ca.key private/`

			Edit your intermediate.cnf to reflect the locations of your intermediate.crt and intermediate.key and the `dir` option just as was done for the Root CA earlier. The intermediate.cnf should look similar to [this](./intermediate.cnf)