Generating an Intermediate CA Certificate
We start by generating a key. Since this key will be used to sign other certificates, it should be password-protected like the root CA key:
$ openssl genrsa -aes256 -out private/ca.key.pem 4096
For more information on encryption and key size options, please refer to the section on generating a root key.
Next, we need to obtain a certificate signed by the root CA, so we generate a CSR:
$ openssl req -new \ -config openssl.cnf \ -key private/ca.key.pem \ -out ca.csr.pem
Fill out the information, but make sure the common name is different from that of the root CA.
- Example Organization
- Intermediate Certificate Authority
- Example Intermediate CA
The CSR is then signed by the root CA. Be sure to change to the root CA's base directory and then sign the intermediate authority CSR. Take note that the v3_ca configuration extension is required to allow the resulting certificate to be used as an authority.
$ openssl ca \ -config opensssl.cnf \ -extensions v3_ca \ -out /path/to/IntermediateCA/ca.crt.pem \ -infiles /path/to/IntermediateCA/ca.csr.pem
When verifying certificates signed by the intermediate authority, browsers and clients will also need to verify the signature on the intermediate CA against the root CA. This is accomplished with a certificate chain, which consists of all the certificates grouped into a single file:
$ cat ca.crt.pem /path/to/RootCA/ca.crt.pem > ca-chain.crt.pem
To verify keys, they must be checked against the ca-chain.crt.pem file instead of an individual certificate:
$ openssl verify -CAfile ca-chain.crt.pem certs/www.example.com.crt.pem
Using an Intermediate CA
Site and personal CSRs may be signed by the intermediate CA just as they would by the root CA. However, the certificate distribution steps must be adjusted.
When installing a site certificate, the root certificate must be replaced by the chained certificates. That is, ca-chain.crt.pem must be distributed to clients instead of ca.crt.pem.
When packaging a PKCS 12 archive for a client certificate, the -certfile similarly must be certificate chain instead of the root certificate.