How to make an intermediate CA?

Y

Yakov Kravtsov2017-11-05 03:28:34

OpenSSL

Yakov Kravtsov, 2017-11-05 03:28:34

Good afternoon!
There are:
1) Self-signed root CA certificate and key --- certificate is valid ( installed in the system )
2) Signed by root certificate --- intermediate CA and key --- certificate is valid
3) Signed by intermediate CA --- final certificate and key
So here. The last certificate is considered not valid - "Unable to find the provider of this certificate.".
How correctly, having all the certificates and keys, to generate the third certificate? That is, sign the CSR so that it is valid?
Or ... Do you really have to install all the CAs in the system?
Thank you very much in advance!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

CityCat4, 2017-11-05
@CityCat4

When I implemented a proxy with bumping and using my own CA (yes, we also have a two-level CA), I had to put both certificates in the system - both the root CA and the intermediate one - and it was in the root ones, while the intermediate one was in "Intermediate CA" - no trust did not have.

N

Nikolay Korabelnikov, 2017-11-15
@nmk2002

You need the client software (OS, browser,...) to:
- trust the root CA
- be able to build a chain from your final certificate to the root CA.
For the last point, you need to:
- provide the client software not only with your certificate, but also with the certificate of the intermediate CA. This is usually done with website SSL certificates - web servers provide the chain, not just the website certificate itself.
OR
- uploaded to the trusted not only the root certificate, but also the certificate of the intermediate CA.