calvin.house/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

corrections, edits, and additions

Browse Source
This commit is contained in:
Calvin L House, Jr
2026-04-10 03:28:56 +00:00
parent 69eede65d8
commit 8a3e979f94
3 changed files with 96 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
tls_docs/ca/intermediate_ca_config.md
View File

@@ -7,39 +7,53 @@ Now that there's a Root CA established, one or more Intermediate CA can be creat
Copy the [root.cnf](./root.cnf) to the Intermediate CA and change the name to *intermediate.cnf* (or whatever name desired to distinguish it from the root CA) on the Intermediate CA and change the policy section under the [CA_default] from `policy_strict` to `policy_loose` since the Intermediate CA isn't signing certificates for other CAs, it can have a less strict policy.
### Create the Intermediate CA key (on Root CA)
```
openssl genrsa -aes256 -out private/intermediate-ca.key
chmod 400 private/intermediate-ca.key
```
### Create the certificate signing request (CSR) for the Intermediate CA using the intermediate.cnf configuration (on the Root CA)
```
openssl req -config intermediate.cnf -new -sha256 -key private/intermediate-ca.key -out csr/intermediate-ca.csr
```
### Sign the certificate using the root.cnf using the `v3_intermediate_ca` extension the paths are defined in the root.cnf so do not need to be explicitly defined in the command (on the Root CA)
```
openssl ca -config root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in csr/intermediate-ca.csr -out certs/intermidate-ca.crt
chmod 444 certs/intermediate-ca.crt
```
### Verify the certificate information and verify the trust chain (on the Root CA)
```
openssl x509 -noout -text -in certs/intermediate-ca.crt
openssl verify -CAfile certs/root-ca.crt certs/intermediate-ca.crt # should return certs/intermediate-ca.crt: OK
```
### Create the ca-bundle.crt (on the Root CA)
```
cat certs/root-ca.crt certs/intermediate-ca.crt > certs/ca-bundle.crt
cat certs/intermediate-ca.crt certs/root-ca.crt > certs/ca-bundle.crt
```
Verify the chain order (the root CA should be last in the chain)
```
openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt | openssl pkcs7 -print_certs -text -noout
```
### Create an archive of the ca-bundle.crt intermediate-ca.crt, and intermediate-ca.crt transport to the Intermediate CA using your preferred transport method
```
tar cvzf intermediate-ca.tar.gz certs/ca-bundle.crt certs/intermediate-ca.crt private/intermediate-ca.key
```
### Create dirs, serial, and index for Intermediate CA on Intermediate CA (same dirs as the root but with a bundles dir)
```
mkdir -p /path/to/intermediate_ca/{bundles,certs,csr,crl,newcerts,private}
cd /path/to/intermediate_ca
@@ -47,6 +61,7 @@ chmod 700 private
```
### Create a CRL number on Intermediate CA (creating this for later use)
```
echo 1000 > /path/to/intermediate_ca/crlnumber
```