On 2/12/2020 12:59, Michael Leone wrote: > > > On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger <k...@denninger.net > <mailto:k...@denninger.net>> wrote: > > On 2/12/2020 11:32, Michael Leone wrote: >> So we are mostly a MS Windows shop. But I use a Linux openssl as >> my root CA. What I am planning on doing, is creating a Windows >> intermediate CA, and using that to sign all my internal requests. >> But before I do that, I have a couple of questions. >> >> I have the steps to install the certificate services in AD, and >> create an intermediate CA request. What I'm wondering is, do I >> sign that cert differently than any normal cert? I don't see why >> I would. I mean, the request should specify that it wants to be a >> CA, and so I should just be able to >> >> openssl ca -in <file> -out <file> >> >> and maybe the -extfile, to specify SANs. >> >> Am I correct in thinking that? I see many, many openssl examples, >> but they're all for creating an intermediate CA using openssl, >> which I'm not doing. And the rest of the examples seem to be how >> to sign using the resulting intermediate CA cert itself, which >> again, is not what I will be doing . >> >> Any pointers appreciated. Thanks! >> > You have to sign the intermediate with the root in order to > maintain the chain of custody and certification. > > > Well, yes. Sorry if that wasn't clear. Yes, the only CA I have is the > root, so that is what I will be signing with. So what I am asking, is > the signing command different for an intermediate CA than for a > regular (I guess the term is "End Entity") certificate? > No, other than specifying the signing certificate to be used (e.g. the root CA) -- the certificate ITSELF, however, is different than an end-entity certificate. The EKU constraints should be correct (e.g. chain length, etc) and "CA:true" has to be set for it (and must NOT be set on an end-entity certificate.) I have no clue what Microsoft does or doesn't do with their certificate management stuff; I use OpenSSL to do it.
-- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature