Security Tip #2 - Generating your own intermediate CA certificate

In the previous blog entry we generated a root CA certificate. This blog entry will deal with creating an intermediate CA certificate signed by the root CA we created before.

The main reason why we do it this way is so we can keep the root CA keystore completely on offline storage. And use the intermediate CA certificate which we can revoke if necessary.

Lets generate your intermediate CA keystore

    keytool -keystore my-intermediate-ca.jks -genkeypair 
     -alias my-intermediate-ca -noprompt -dname "CN=My Intermediate CA" 
     -keyalg rsa -keysize 8192 -validity 365

In order for us to be able to get the intermediate CA certificate signed by the root CA we need a CSR, so lets generate it

    keytool -keystore my-intermediate-ca.jks 
     -alias my-intermediate-ca -certreq -rfc 
     -file my-intermediate-ca.csr

Now we can use the root CA keystore to generate a signed certificate with the CSR we just generated. Lets do that now!

    keytool -keystore my-ca.jks 
     -alias my-ca -gencert -infile my-intermediate-ca.csr 
     -dname "CN=My Intermediate CA" -validity 365 -rfc 
     -outfile my-intermediate-ca.pem 
     -ext BasicConstraints:critical=ca:true 
     -ext KeyUsage:critical=keyCertSign,cRLSign

Now we will import both the root CA PEM file and the intermediate CA PEM file into the intermediate CA keystore. Note we need to import them both as the root CA certificate is needed to validate the signed intermediate certificate.

First we need to import the root CA certificate

    keytool -keystore my-intermediate-ca.jks  -importcert 
     -alias my-ca -file my-ca.pem 

And then we need to import the intermediate CA certificate

    keytool -keystore my-intermediate-ca.jks 
     -alias my-intermediate-ca -importcert -file my-intermediate-ca.pem 

Posted August 2, 2015