creating intermediate ca signed by an external root

[heidricha]

I don't understand the concept of creating an intermediate ca.

In my understanding, it should create a full CA, but instead of the ca.crt, a csr should be created, and after getting it signed with the root-CA, the ca.crt should be uploaded. it works this way using easy-rsa f.e.

here, when I create a ca with "intermediate": true, and "parent_common_name" added, the resulted CA data will contain only keys, and "isIntermediate": false

It's my issue tbh, but how this flow supposed to work?

[necheffa]

I am assuming you are working with the REST API?

First you'll want to hit /api/v1/ca to create a root CA if you have not done so already.
Then you'll want to hit /api/v1/ca again to create an intermediate CA.

When you send your payload to create an intermediate CA, you want to set intermediate to true and parent_common_name to the CN of the root CA that will be signing your intermediate CA.

The result should then be that the intermediate CA is generated and signed at this point.

[heidricha]

I tried to use an external root for the intermediate cert.
Is it supported in some way (like placing the CA data manually), or the intermediate CA can only be signed by the local root?

I tried to replace the pki files for the intermediate CA with files from a valid sub-CA, signed by an external root, but all I have now is "error 500"

[necheffa]

I do not believe using an external CA is a currently supported use case.

[kairoaraujo]

The current use case of intermediate CA is when you are the CA admin and want to delegate an intermediate CA.

[heidricha]

The current use case of intermediate CA is when you are the CA admin and want to delegate an intermediate CA.

Thanks for making it clear!