Good evening all,
I have 2 servers running in different datacenters which are both connected using OpenVPN. Both servers have their own ca-server who is able to sign new certificates using intermediate certificate, which are currently signed by an individual root certificate (Each server has an own root certificate which are securely stored offline.)
In case that one CA becomes unavailable (compromised, server offline etc.), I want to make sure, that the certificates of CA1 are accepted when originally created with CA2. (so classic certificate cross-signing).
I can generate a key for an intermediate certificate and sign it by both CAs but I do not understand how I can put both certificates together so certs signed by CA1 are still valid if only CA2 is trusted.
My Questions: - How to write out a cross signed intermediate certificate. - How does this go with X509? I have read that cross signing is not included into X509. How does the whole procedure work at all?
How to chain the client certificate and the intermediate certificate? (e.g. for NGINX).
Thank you for your answers :),
Genpc
