Blog | G5 Cyber Security

Create Intermediate Certificates from a CA

G5 Cyber Security

TL;DR

Yes, you can create intermediate certificates from a Certificate Authority (CA)-issued certificate. This is common practice for better security and scalability. You’ll use OpenSSL to generate a private key for the intermediate certificate, then sign its Certificate Signing Request (CSR) with your CA’s private key.

Steps

  1. Understand Intermediate Certificates: An intermediate certificate acts as a bridge between your root CA and the end-entity certificates you issue. It allows you to delegate signing authority without exposing your root CA’s private key.
  2. Prerequisites: You’ll need:
    • OpenSSL installed on your system.
    • Your CA certificate (ca.crt).
    • Your CA private key (ca.key) – Keep this extremely secure!
  3. Generate a Private Key for the Intermediate Certificate: This is the first step in creating your intermediate certificate. 
    openssl genrsa -out intermediate.key 2048

    This command creates a 2048-bit RSA private key and saves it to intermediate.key. You can increase the bit length for stronger security (e.g., 4096).

  4. Create a Certificate Signing Request (CSR) for the Intermediate Certificate: The CSR contains information about your intermediate certificate. 
    openssl req -new -key intermediate.key -out intermediate.csr

    You will be prompted to enter details like Country Name, State/Province, Locality Name, Organization Name, Common Name (this is often a descriptive name for the intermediate CA), and an email address. The Common Name is important; choose something meaningful.

  5. Sign the CSR with Your CA’s Private Key: This step creates the actual intermediate certificate by having your root CA sign the request. 
    openssl x509 -req -in intermediate.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out intermediate.crt -days 3650
    • ca.crt is your CA certificate.
    • ca.key is your CA private key.
    • -CAcreateserial creates a serial number file if one doesn’t exist.
    • intermediate.crt will be the name of your new intermediate certificate.
    • -days 3650 sets the validity period to 10 years (adjust as needed). Longer validity periods are generally discouraged for security reasons; consider shorter durations.
  6. Verify the Intermediate Certificate: Check that it’s correctly signed by your CA. 
    openssl verify -CAfile ca.crt intermediate.crt

    This should output “intermediate.crt: OK” if the verification is successful.

  7. Configure Your Server/Application: Add the intermediate certificate to your server’s or application’s trust chain. This usually involves concatenating the intermediate certificate with your CA certificate in a single file (ca_bundle.crt). 
    cat ca.crt intermediate.crt > ca_bundle.crt
  8. Update Clients: Ensure clients trust the intermediate certificate. This may involve updating trust stores or distributing the ca_bundle.crt file.
Exit mobile version