These steps generate an intermediate certificate. This intermediate certificate is signed by the root certificate and used to sign the final, desired certificates. (Sometimes called leaf, server, or user certificates.)
These steps require the root certificate, but may be performed elsewhere. This allows the root certificate to remain air-gapped, but the intermediate to be on-line.
Create a directory for the intermediate certificate and set up these files.
-
req.configandca.config-- Start with the example files inconfig/intermediate. Read through, understand, and customize them.These configurations are distinct from the ones for the root certificate.
The remainging files are set up just like for the root certificate.
keyserialissuedissued/issued
-
Generate a certificate signing request (CSR),
req, from the private key. This will prompt for the key passphrase.openssl req -new -config req.config -key key -out req
-
Copy the CSR to the root certificate's directory.
-
In the root certificate's directory, sign the CSR for the intermediate certificate. This will prompt for the root certificate's key passphrase.
-
intermediate.req-- The CSR copied over. -
intermediate.cert-- The resulting intermediate certificate.
openssl ca -config ca.config -extensions ext_intermediate -policy policy_intermediate -in intermediate.req -out intermediate.cert
-
-
Copy the intermediate certificate back to its directory.