Openssl Intermediate Certificate

Openssl Intermediate Certificate
Hi All:
Now I want to create a certificate chain by myself.
It will looks like as below:
Server Certificate -> Intermediate CA -> Root CA.
Now I am using openssl command to create these certificate files.
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
# Create Intermediate
openssl genrsa -out intermediate.key 4096
openssl req -new -sha1 -key intermediate.key -out intermediate.csr
# CA signs Intermediate
openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey
ca.key -set_serial 01 -out intermediate.crt
# Create Server
openssl genrsa -out 4096
openssl req -new -key -out
# Intermediate signs Server
openssl x509 -req -days 1825 -in -CA
intermediate.crt -CAkey intermediate.key -set_serial 01 -out
Now I install ca.crt into WIndows7 local Trust Root Store. when I open file, I can see 'Certificate chain' in
'Certification Path'.
But I get 1 warning information on intermediate certificate 'This
certification authority is not allowed to issue certificates or cannot
be used as an end-entity certificate.'
From search, I think this is because intermediate certificate/key is
not a correct intermediate CA that it can not sign
Please kindly give me some suggestion about how to use openssl command
to sign '' with intermediate CA. Thanks!
Rejoice,I Desire!
OpenSSL Project
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


To communicate securely over the internet, HTTPS (HTTP over TLS) is used. A key component of HTTPS is Certificate authority (CA), which by issuing digital certificates acts as a trusted 3rd party between server(eg: and others(eg: mobiles, laptops).

Create certificate chain (CA bundle) using your own Root CA and Intermediate Certificates with openssl; Create server and client certificates using openssl for end to end encryption with Apache over SSL; Create SAN Certificate to protect multiple DNS, CN and IP Addresses of the server in a single certificate. The list of steps to be followed.

  • Jun 19, 2015 The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions.pfx and.p12. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.
  • An intermediate CA certificate must be signed by the root CA certificate: openssl req -config caintermediate.cnf -new -sha256 -key caintermediate.key -out caintermediate.csr Sign the intermediate signing request with the root CA certificate.

In this article, we will learn how to obtain certificates from a server and manually verify them on a laptop to establish a chain of trust.

Chain of Trust

TLS certificate chain typically consists of server certificate which is signed by intermediate certificate of CA which is inturn signed with CA root certificate.

Using OpenSSL, we can gather the server and intermediate certificates sent by a server using the following command.

This command internally verfies if the certificate chain is valid. The output contains the server certificate and the intermediate certificate along with their issuer and subject. Copy both the certificates into server.pem and intermediate.pem files.

We can decode these pem files and see the information in these certificates using

We can also get only the subject and issuer of the certificate with

Now that we have both server and intermediate certificates at hand, we need to look for the relevant root certificate (in this case DigiCert High Assurance EV Root CA) in our system to verify these.

If you are using a Linux machine, all the root certificate will readily available in .pem format in /etc/ssl/certs directory.

If you are using a Mac, open Keychain Access, search and export the relevant root certificate in .pem format.

We have all the 3 certificates in the chain of trust and we can validate them with

If there is some issue with validation OpenSSL will throw an error with relevant information.

Openssl Intermediate Certificate Verify


Openssl Certificate Information

In this article, we learnt how to get certificates from the server and validate them with the root certificate using OpenSSL.