Intermediate Signing CA

An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.

The purpose of using an intermediate CA is primarily for security. The root key can be kept offline and used as infrequently as possible. If the intermediate key is compromised, the root CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.

Prepare the directory

The root CA files are kept in /etc/pki/CA. Choose a different directory (/etc/pki/CA/intermediate) to store the intermediate CA files.

mkdir /etc/pki/CA/intermediate

Create the same directory structure used for the root CA files. It’s convenient to also create a csr directory to hold certificate signing requests.

cd /etc/pki/CA/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 01 > serial

Add a crlnumber file to the intermediate CA directory tree. crlnumber is used to keep track of certificate revocation lists.

echo 01 > /etc/pki/CA/intermediate/crlnumber

Copy the intermediate CA configuration file from /etc/pki/CA/openssl.cnf to /etc/pki/CA/intermediate/openssl.cnf.
The following options have been changed compared to the root CA configuration file:

[ default ]
ca              = GatwardIT-TLS
SAN             = DNS:somesite.tld
[ CA_default ]
dir             = /etc/pki/CA/intermediate
policy          = policy_loose
[ server_cert ]
subjectAltName  = $ENV::SAN

Create the intermediate key

Create the intermediate key (GatwardIT-TLS.key). Encrypt the intermediate key with AES 256-bit encryption and a strong password.

cd /etc/pki/CA
openssl genrsa -aes256 \
-out intermediate/private/GatwardIT-TLS.key 4096 
Enter pass phrase for intermediate.key: secretpassword
Verifying - Enter pass phrase for intermediate.key: secretpassword 
chmod 400 intermediate/private/*.key

Create the intermediate certificate

Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.

cd /etc/pki/CA
openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/GatwardIT-TLS.key \
-out intermediate/csr/GatwardIT-TLS.csr 
Enter pass phrase for intermediate.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
Country Name (2 letter code) [AU]:
State or Province Name [New South Wales]:
Locality Name []:
Organization Name [GatwardIT]:
Organizational Unit Name []:GatwardIT Certificate Authority
Common Name []:GatwardIT TLS CA
Email Address []:

To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate. Ten years would be reasonable.

cd /etc/pki/CA
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in intermediate/csr/GatwardIT-TLS.csr \
-out intermediate/certs/GatwardIT-TLS.pem 
Enter pass phrase for GatwardIT-CA2.key: secretpassword
Sign the certificate? [y/n]: y 
chmod 444 intermediate/certs/*.pem

Verify the intermediate certificate

As we did for the root certificate, check that the details of the intermediate certificate are correct.

openssl x509 -noout -text -in intermediate/certs/GatwardIT-TLS.pem

Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

openssl verify -CAfile certs/GatwardIT-CA2.pem \

Create the certificate chain file

When an application (eg, a web browser) tries to verify a certificate signed by the intermediate CA, it must also verify the intermediate certificate against the root certificate. To complete the chain of trust, create a CA certificate chain to present to the application.

To create the CA certificate chain, concatenate the intermediate and root certificates together. We will use this file later to verify certificates signed by the intermediate CA.

cat intermediate/certs/GatwardIT-TLS.pem \
certs/GatwardIT-CA2.pem > intermediate/certs/GatwardIT-chain.pem
chmod 444 intermediate/certs/*.pem

Create initial CRL

A certificate revocation list (CRL) provides a list of certificates that have been revoked. A client application, such as a web browser, can use a CRL to check a server’s authenticity. A server application, such as Apache or OpenVPN, can use a CRL to deny access to clients that are no longer trusted.

# cd /etc/pki/CA
# openssl ca -config intermediate/openssl.cnf \
-gencrl -out intermediate/crl/GatwardIT-TLS.crl

You can check the contents of the CRL with the crl tool.

openssl crl -in intermediate/crl/GatwardIT-TLS.crl -noout -text

You should re-create the CRL at regular intervals. By default, the CRL expires after 30 days. This is controlled by the default_crl_days option in the [ CA_default ] section.