In the previous blog entry we generated a root CA certificate. This blog entry will deal with creating an intermediate CA certificate signed by the root CA we created before.
The main reason why we do it this way is so we can keep the root CA keystore completely on offline storage. And use the intermediate CA certificate which we can revoke if necessary.
Lets generate your intermediate CA keystore
keytool -keystore my-intermediate-ca.jks -genkeypair -alias my-intermediate-ca -noprompt -dname "CN=My Intermediate CA" -keyalg rsa -keysize 8192 -validity 365
In order for us to be able to get the intermediate CA certificate signed by the root CA we need a CSR, so lets generate it
keytool -keystore my-intermediate-ca.jks -alias my-intermediate-ca -certreq -rfc -file my-intermediate-ca.csr
Now we can use the root CA keystore to generate a signed certificate with the CSR we just generated. Lets do that now!
keytool -keystore my-ca.jks -alias my-ca -gencert -infile my-intermediate-ca.csr -dname "CN=My Intermediate CA" -validity 365 -rfc -outfile my-intermediate-ca.pem -ext BasicConstraints:critical=ca:true -ext KeyUsage:critical=keyCertSign,cRLSign
Now we will import both the root CA PEM file and the intermediate CA PEM file into the intermediate CA keystore. Note we need to import them both as the root CA certificate is needed to validate the signed intermediate certificate.
First we need to import the root CA certificate
keytool -keystore my-intermediate-ca.jks -importcert -alias my-ca -file my-ca.pem
And then we need to import the intermediate CA certificate
keytool -keystore my-intermediate-ca.jks -alias my-intermediate-ca -importcert -file my-intermediate-ca.pem
Posted August 2, 2015