Table of Contents

Intermediate Certificate Authorities

Intermediate CAs are special authorities that are allowed to sign certificates on behalf of the root CA. This is generally more secure than signing certificates directly with the root key since there is an extra layer between the clients' keys and the root key. It also helps with separation of duties. For example, a university that wants to allow departments to manage their own SSL certificates would allow each department to operate as an intermediate CA.

The intermediate CA requires its own directory, configuration, and database. Please refer to the setup instructions for details on how to set up a CA base directory and configuration. For simplicity, the intermediate CA can use the same openssl.cnf as the root CA.

Generating an Intermediate CA Certificate

We start by generating a key. Since this key will be used to sign other certificates, it should be password-protected like the root CA key:

$ openssl genrsa -aes256 -out private/ca.key.pem 4096

For more information on encryption and key size options, please refer to the section on generating a root key.

Next, we need to obtain a certificate signed by the root CA, so we generate a CSR:

$ openssl req -new \
    -config openssl.cnf \
    -key private/ca.key.pem \
    -out ca.csr.pem

Fill out the information, but make sure the common name is different from that of the root CA.

Country
US
State
Texas
Locality
Dallas
Organization
Example Organization
Unit
Intermediate Certificate Authority
Common
Example Intermediate CA
Email
intermediate@example.com

The CSR is then signed by the root CA. Be sure to change to the root CA's base directory and then sign the intermediate authority CSR. Take note that the v3_ca configuration extension is required to allow the resulting certificate to be used as an authority.[1]

$ openssl ca \
    -config opensssl.cnf \
    -extensions v3_ca \
    -out /path/to/IntermediateCA/ca.crt.pem \
    -infiles /path/to/IntermediateCA/ca.csr.pem

Chained Verification

When verifying certificates signed by the intermediate authority, browsers and clients will also need to verify the signature on the intermediate CA against the root CA. This is accomplished with a certificate chain, which consists of all the certificates grouped into a single file:

$ cat ca.crt.pem /path/to/RootCA/ca.crt.pem > ca-chain.crt.pem

To verify keys, they must be checked against the ca-chain.crt.pem file instead of an individual certificate:

$ openssl verify -CAfile ca-chain.crt.pem certs/www.example.com.crt.pem

Using an Intermediate CA

Site and personal CSRs may be signed by the intermediate CA just as they would by the root CA. However, the certificate distribution steps must be adjusted.

When installing a site certificate, the root certificate must be replaced by the chained certificates. That is, ca-chain.crt.pem must be distributed to clients instead of ca.crt.pem.

When packaging a PKCS 12 archive for a client certificate, the -certfile similarly must be certificate chain instead of the root certificate.

Footnotes

  1. [] The v3_ca extension was also used to generate the self-signed root certificate.