calvin.house/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d688e1ba7fa63dda6170643145f2b76877d3108
docs/tls_docs/ca/intermediate_ca_config.md
chouse 5d688e1ba7 initial commit
2025-11-07 03:44:26 +00:00

3.0 KiB
Raw Blame History

Create the Intermediate CA(s)

Now that there's a Root CA established, one or more Intermediate CA can be created. These CAs will be signing certificates on behalf of the Root CA, but WILL NOT create new CAs.

Create and edit the intermediate CA configuration

Copy the root.cnf to the Intermediate CA and change the name to intermediate.cnf (or whatever name desired to distinguish it from the root CA) on the Intermediate CA and change the policy section under the [CA_default] from policy_strict to policy_loose since the Intermediate CA isn't signing certificates for other CAs, it can have a less strict policy.

Create the Intermediate CA key (on Root CA)

openssl genrsa -aes256 -out private/intermediate-ca.key
chmod 400 private/intermediate-ca.key

Create the certificate signing request (CSR) for the Intermediate CA using the intermediate.cnf configuration (on the Root CA)

openssl req -config intermediate.cnf -new -sha256 -key private/intermediate-ca.key -out csr/intermediate-ca.csr

Sign the certificate using the root.cnf using the v3_intermediate_ca extension the paths are defined in the root.cnf so do not need to be explicitly defined in the command (on the Root CA)

openssl ca -config root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in csr/intermediate-ca.csr -out certs/intermidate-ca.crt
chmod 444 certs/intermediate-ca.crt

Verify the certificate information and verify the trust chain (on the Root CA)

openssl x509 -noout -text -in certs/intermediate-ca.crt
openssl verify -CAfile certs/root-ca.crt certs/intermediate-ca.crt # should return certs/intermediate-ca.crt: OK

Create the ca-bundle.crt (on the Root CA)

cat certs/root-ca.crt certs/intermediate-ca.crt > certs/ca-bundle.crt

Create an archive of the ca-bundle.crt intermediate-ca.crt, and intermediate-ca.crt transport to the Intermediate CA using your preferred transport method

tar cvzf intermediate-ca.tar.gz certs/ca-bundle.crt certs/intermediate-ca.crt private/intermediate-ca.key

Create dirs, serial, and index for Intermediate CA on Intermediate CA (same dirs as the root but with a bundles dir)

mkdir -p /path/to/intermediate_ca/{bundles,certs,csr,crl,newcerts,private}
cd /path/to/intermediate_ca
chmod 700 private

Create a CRL number on Intermediate CA (creating this for later use)

echo 1000 > /path/to/intermediate_ca/crlnumber

Extract archive and move the ca-bundle.crt, intermediate-ca.crt, and intermediate-ca.key to their respective dirs (it may ask to override previous permissions. You can accept using y and reapply the permissions)

tar xvf intermediate-ca.tar.gz --strip-components 1 mv {ca-bundle-crt,intermediate.crt} certs/ mv intermediate-ca.key private/

Edit your intermediate.cnf to reflect the locations of your intermediate.crt and intermediate.key and the dir option just as was done for the Root CA earlier. The intermediate.cnf should look similar to this

Reference in New Issue View Git Blame Copy Permalink