On 2/12/2020 12:59, Michael Leone
wrote:
On Wed, Feb 12, 2020 at 1:24 PM Karl Denninger <karl@xxxxxxxxxxxxx> wrote:
On 2/12/2020 11:32, Michael Leone wrote:
So we are mostly a MS Windows shop. But I use a Linux openssl as my root CA. What I am planning on doing, is creating a Windows intermediate CA, and using that to sign all my internal requests. But before I do that, I have a couple of questions.
I have the steps to install the certificate services in AD, and create an intermediate CA request. What I'm wondering is, do I sign that cert differently than any normal cert? I don't see why I would. I mean, the request should specify that it wants to be a CA, and so I should just be able to
openssl ca -in <file> -out <file>
and maybe the -extfile, to specify SANs.
Am I correct in thinking that? I see many, many openssl examples, but they're all for creating an intermediate CA using openssl, which I'm not doing. And the rest of the examples seem to be how to sign using the resulting intermediate CA cert itself, which again, is not what I will be doing .
Any pointers appreciated. Thanks!
You have to sign the intermediate with the root in order to maintain the chain of custody and certification.
Well, yes. Sorry if that wasn't clear. Yes, the only CA I have is the root, so that is what I will be signing with. So what I am asking, is the signing command different for an intermediate CA than for a regular (I guess the term is "End Entity") certificate?
No, other than specifying the signing certificate to be used
(e.g. the root CA) -- the certificate ITSELF, however, is
different than an end-entity certificate. The EKU constraints
should be correct (e.g. chain length, etc) and "CA:true" has to be
set for it (and must NOT be set on an end-entity certificate.) I
have no clue what Microsoft does or doesn't do with their
certificate management stuff; I use OpenSSL to do it.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
