# Create the Intermediate CA(s)

Now that there's a Root CA established, one or more Intermediate CA can be created. These CAs will be signing certificates on behalf of the Root CA, but ***WILL NOT*** create new CAs.

### Create and edit the intermediate CA configuration

Copy the [root.cnf](./root.cnf) to the Intermediate CA and change the name to *intermediate.cnf* (or whatever name desired to distinguish it from the root CA) on the Intermediate CA and change the policy section under the [CA_default] from `policy_strict` to `policy_loose` since the Intermediate CA isn't signing certificates for other CAs, it can have a less strict policy. 

### Create the Intermediate CA key (on Root CA)
```
openssl genrsa -aes256 -out private/intermediate-ca.key
chmod 400 private/intermediate-ca.key
```

### Create the certificate signing request (CSR) for the Intermediate CA using the intermediate.cnf configuration (on the Root CA)
```
openssl req -config intermediate.cnf -new -sha256 -key private/intermediate-ca.key -out csr/intermediate-ca.csr
```

### Sign the certificate using the root.cnf using the `v3_intermediate_ca` extension the paths are defined in the root.cnf so do not need to be explicitly defined in the command (on the Root CA)
```
openssl ca -config root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in csr/intermediate-ca.csr -out certs/intermidate-ca.crt
chmod 444 certs/intermediate-ca.crt
```

### Verify the certificate information and verify the trust chain (on the Root CA)
```
openssl x509 -noout -text -in certs/intermediate-ca.crt
openssl verify -CAfile certs/root-ca.crt certs/intermediate-ca.crt # should return certs/intermediate-ca.crt: OK
```

### Create the ca-bundle.crt (on the Root CA)
```
cat certs/root-ca.crt certs/intermediate-ca.crt > certs/ca-bundle.crt
```

### Create an archive of the ca-bundle.crt intermediate-ca.crt, and intermediate-ca.crt transport to the Intermediate CA using your preferred transport method
```
tar cvzf intermediate-ca.tar.gz certs/ca-bundle.crt certs/intermediate-ca.crt private/intermediate-ca.key
```

### Create dirs, serial, and index for Intermediate CA on Intermediate CA (same dirs as the root but with a bundles dir)
```
mkdir -p /path/to/intermediate_ca/{bundles,certs,csr,crl,newcerts,private}
cd /path/to/intermediate_ca
chmod 700 private
```

### Create a CRL number on Intermediate CA (creating this for later use)
```
echo 1000 > /path/to/intermediate_ca/crlnumber
```

### Extract archive and move the ca-bundle.crt, intermediate-ca.crt, and intermediate-ca.key to their respective dirs (it may ask to override previous permissions. You can accept using y and reapply the permissions)
tar xvf intermediate-ca.tar.gz --strip-components 1
mv {ca-bundle-crt,intermediate.crt} certs/
mv intermediate-ca.key private/

Edit your *intermediate.cnf* to reflect the locations of your *intermediate.crt* and *intermediate.key* and the `dir` option just as was done for the Root CA earlier. The *intermediate.cnf* should look similar to [this](./intermediate.cnf)