On 2/12/2020 11:32, Michael Leone wrote: > So we are mostly a MS Windows shop. But I use a Linux openssl as my > root CA. What I am planning on doing, is creating a Windows > intermediate CA, and using that to sign all my internal requests. But > before I do that, I have a couple of questions. > > I have the steps to install the certificate services in AD, and create > an intermediate CA request. What I'm wondering is, do I sign that cert > differently than any normal cert? I don't see why I would. I mean, the > request should specify that it wants to be a CA, and so I should just > be able to > > openssl ca -in <file> -out <file> > > and maybe the -extfile, to specify SANs. > > Am I correct in thinking that? I see many, many openssl examples, but > they're all for creating an intermediate CA using openssl, which I'm > not doing. And the rest of the examples seem to be how to sign using > the resulting intermediate CA cert itself, which again, is not what I > will be doing . > > Any pointers appreciated. Thanks! > You have to sign the intermediate with the root in order to maintain the chain of custody and certification.
That is, the chain of trust is Root->Intermediate->......-> End Entity You can (of course) branch more than once; it is common to have more than one Intermediate, for example, for different types of entity for which different parts of an organization have responsibility, and you can sub-delegate intermediates as well. Just note that when an end entity certificate is validated the entire chain back to the root of trust (which is self-signed) has to be able to be verified. -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature