You can create intermediate certificates using a root certificate.
Create a root CA certificate and its key. For more information, see Create a Root CA Certificate.
- Create an OpenSSL configuration file called ca_intermediate.cnf for the creation of the intermediate CA certificates.
It is similar to ca_root.cnf, but the policy setting in the [CA_default] section and the names and locations of the key and certificate are different.
- Generate the private key using a strong encryption algorithm such as 4096-bit AES256. For more information, see Generate a Private Key for Use with Certificates .
For example:
openssl genrsa -aes256 -out ca_intermediate.key 4096
When prompted for a pass phrase, use a strong one.
Note:Keep this key secure! If it is compromised,malicious users can make fake certificates that are not distinguishable from real ones, althoughthe consequences are less severe than if the key of the root CA certificate is compromised.
- Create a signing request. An intermediate CA certificate must be signed by the root CA certificate:
openssl req -config ca_intermediate.cnf \ -new -sha256 \ -key ca_intermediate.key \ -out ca_intermediate.csr
- Sign the intermediate signing request with the root CA certificate.
It should also be valid for a significant time, but not as long as the root CA certificate, say 10 years:
openssl ca -config ca_root.cnf \ -extensions v3_intermediate_ca \ -days 3653 -notext -md sha256 \ -in ca_intermediate.csr \ -out ca_intermediate.crt
You now have an intermediate CA certificate.
Both the root certificate and intermediatecertificate must be made available to anyone that must verify the certificates. They constitute achain of trust that ensures the authenticity of the certificate owner.
You can make them available as separate CAcertificates in your trust store, or you can concatenate them into one file and make this fileavailable.
