1

I am attempting to create an intermediate CA for testing and development purposes. I have successfully created my root CA with which I have issued a client certificate following this tutorial, but I cannot create an intermediate CA, issued by my root CA, that can issue the client certificate.

To create the intermediate CA I'm using this openssl command:

openssl x509 -req -in domainCA.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out domainCA.crt -days 1024 -sha256 -extfile domainCA.ext

The domainCA.ext file contains this:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = keyCertSign, cRLSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

The certificate window show this problem (_DomainCA is the intermediate CA):

enter image description here enter image description here

blow
  • 12,811
  • 24
  • 75
  • 112
  • 2
    That (config and command) **looks valid to me**. That display looks like Windows; is it? Is it the popup for just opening a file containing the cert or in certmgr, or from some software that is trying to rely on the cert like IE, Edge, Outlook? You could try the approach(es) in https://stackoverflow.com/questions/20203109/validate-certificate-chain-with-powershell or https://stackoverflow.com/questions/28761249/x509certificate2-verify-returns-false-always to see if you get a more helpful error message. – dave_thompson_085 Dec 29 '21 at 19:19
  • 1
    Try installing the **_DomainCA** certificate into your Windows **Trusted Intermediate Certification Authorities** store. You can probably exclude: nonRepudiation, keyEncipherment, dataEncipherment. – leeharvey1 Dec 29 '21 at 19:35
  • @dave_thompson_085: Yes, was the Windows screenshot of the popup of the certificate, not in certmgr, just certificate. leeharvey1: Thank you, I miss this step... now it's all correct. – blow Dec 30 '21 at 08:24

0 Answers0