On 2/12/2020 11:32, Michael Leone
wrote:
So we are mostly a MS Windows shop. But I use a Linux openssl as my root CA. What I am planning on doing, is creating a Windows intermediate CA, and using that to sign all my internal requests. But before I do that, I have a couple of questions.
I have the steps to install the certificate services in AD, and create an intermediate CA request. What I'm wondering is, do I sign that cert differently than any normal cert? I don't see why I would. I mean, the request should specify that it wants to be a CA, and so I should just be able to
openssl ca -in <file> -out <file>
and maybe the -extfile, to specify SANs.
Am I correct in thinking that? I see many, many openssl examples, but they're all for creating an intermediate CA using openssl, which I'm not doing. And the rest of the examples seem to be how to sign using the resulting intermediate CA cert itself, which again, is not what I will be doing .
Any pointers appreciated. Thanks!
You have to sign the intermediate with the root in order to
maintain the chain of custody and certification.
That is, the chain of trust is Root->Intermediate->......-> End Entity
You can (of course) branch more than once; it is common to have more than one Intermediate, for example, for different types of entity for which different parts of an organization have responsibility, and you can sub-delegate intermediates as well.
Just note that when an end entity certificate is validated the
entire chain back to the root of trust (which is self-signed) has
to be able to be verified.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
