Create client from intermediate?

[pnill]

I see no option to create a client based on an intermediate CA? Is this a feature that's lacking or am I missing something?

[pnill]

So I've noticed build-ca has "nopass" and "subca" but if you try to use either of these options they appear to do nothing currently, nopass I still get prompted for a password and was able to confirm the private key was still exported with a password.

subca and you get told the ca already exists.

[kaspergrubbe]

Please update here if you manage to find a solution to this.

[pnill]

The solution I found was basically generating an root creating a signing request and signing it as an intermediate, moving the pki folder to root_pki, reinitiating an root (initpki) and then copying the newly signed intermediate into the new pki folder and signing a client cert under it.

[viharm]

I have found another, more elegant solution (I suspect this is how it was designed).

1. Setup two separate Easy-RSA installations.
2. Initialise and build a CA as normal on the first one (lets call it RootCA).
3. Initialise the second one, but build CA with the subca option (lets call it IntCA).
4. When a a subca is built, no certificate is generated, only a request is generated. Import this request (IntCA/pki/reqs/ca.req) into RootCA.
5. Sign the IntCA request imported into RootCA, as the root CA. This will generate the certificate (RootCA/pki/issued/IntCA.crt).
6. Copy the IntCA.cert file to the IntCA setup at IntCA/pki/ca.crt.
7. Now you can use IntCA for all your mainstream activities and lock away the RootCA until the IntCA needs to be managed (renewed, revoked, etc.). Just ensure that you are always within the IntCA directory when issuing ./easyrsa commands. Better still use full paths to avoid using the root CA by mistake.

Hope this helps.