10

I am using 'xca' in Linux to set up a private CA. xca only includes templates for the Root CA and End-User CA, no intermediates. What are the correct settings (fields and flags) for an intermediate (and lowest level in this case) level certificate authority to distinguish it from the root and end-user certificates. I know the root is self signed and the intermediate is signed by the root, but I am not sure of the intermediate CA settings beyond that. To be specific, I am not asking about software settings, but rather the differences between the Root and Intermediate certificates.

Bryan D.
  • 101
  • 4

2 Answers2

2

The only difference between a root and intermediate CA is that the root is by definition self signed.

And the difference between a root or intermediate CA and an end (user) certificate is that first two contain a x509 Certificate sign extension while last one do not.

So that is only a question of self-signed or not and presence of a Certificate sign extension.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
1

Not sure if this answers the question. But similar to an Answer I gave here: How does a browser tell the difference between an intermediate cert and an end-entity cert?

  • Basic Constraint->Subject Type:

    • Root Certificate: "CA"
    • End-Entity Certificate : "End Entity"
  • Basic Constraint->Path Length Constraint:

    • Root Cetificate: 0
    • End-Entity Certificate : None

The Subject Type specifies what type of Cert it is (CA vs End-Entity), and the Path Length Constraint specifies how many intermediary certs can be present in the chain.

By setting Path Length to 0, you're specifying that there can be 0 intermediary certs between the root and end-entity. Effectively disabling any intermediary certs.

keithRozario
  • 3,631
  • 2
  • 12
  • 25