basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.

Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.

Does anyone know the command sequence to generate this from the CA?


//Moderator note: I merged three of your threads with the same subject (aka SPAM). While one was being transferred from another forum you should have waited. Please read the LQ rules you agreed to when you signed up and do not try to pull that stunt again.

Please post your question in it's apropriate forum.
This post has been reported.

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Well...to Linux-Security...

basically I'm trying to figure out how to generate a Mid or intermediate CA. I currently have a CA key pair.

Here is the problem I need to generate a MID_CA(key/cert).pem pair and the documentation as yet I found on the net regarding this appears almost nil.

Does anyone know the command sequence to generate this from the CA?

Does anyone have detailed instructions from the command line on how to create an interemediate certificate from a CA?

Basically I need to generate a a MID_CA_CERT.pem and MID_CA_KEY.pem

Read up on certificate chains. When dealing with certificates, it's basically about trusting the signer. You might need to add the signing CA certificate to the certificate chain. Of course, your browser will probably throw an error for that also if you have not imported the CA cert into your browser.

I readup on certificate chains. Basically the intermediate chain I'm trying to is for a test environment for a printer. I've already generate the CAcert. I just can't find any clear documentation on how to manualy generate a intermediate certificate. Do you knwo the command or location of documentation that might help?


Is this the command set?

openssl req -new -config openssl.cnf \
-out proxy2.req -keyout proxy2.key
openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
-out proxy2.crt -CA proxy.crt -CAkey proxy.key \
-extfile openssl.cnf -extensions v3_proxy2

Thank you,
Ed

I'm a little confused on what you are attempting to do? What key did you use to sign the CSR for your printer? If you used your CA key, then there is no other intermediate certificate.

First I need to construct a intermediate CA. I'm not sure of the manual process to create this. The path should be intermediateCA->CA, I think. The correct command to do this are what I'm looking for.

What key did you sign the printer CSR with?

I think the intermediate CA, but could be old MID CA. It's signed by teh printer and download to me desktop.

If the printer signed its own CSR, then there is no intermediate cert unless your printer manufactur provides it. If you signed the printer CSR with your OpenSSL CA key, then your OpenSSL CA cert is the next link in the chain. You can't just generate an intermediate CA cert and stuff it between two certs. The signatures must "cascade down" the links of the certificate chain.

I figured out the intermediate part with, ./CA.pl -signCA. I'm worried that the Key file generated from newreq.pem also has the csr inside. will this affect the new key?

Do you mean the cert generated from the CSR? Most applications using SSL require just the initial key and the matching cert to start.