There is a testsuite in gdm3 doing this:
openssl req -batch -new -nodes \
-passin pass:random-intermediate-CA-password-18641 \
-config /tmp/sssd-softhsm2-OuDCps/test-intermediate-CA.config \
-key /tmp/sssd-softhsm2-OuDCps/test-intermediate-CA-key.pem \
-passout pass:random-root-CA-password-12866 -sha256 \
-extensions v3_ca \
-out /tmp/sssd-softhsm2-OuDCps/test-intermediate-CA-certificate-request.pem
0061C6BF337F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
0061C6BF337F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
The test-intermediate-CA.config:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /tmp/sssd-softhsm2-OuDCps
database = $dir/index.txt
new_certs_dir = $dir/new_certs
certificate = $dir/test-intermediate-CA.pem
serial = $dir/serial
private_key = $dir/test-intermediate-CA-key.pem
RANDFILE = $dir/rand
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_any
email_in_dn = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = copy
[ usr_cert ]
authorityKeyIdentifier = keyid, issuer
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ policy_any ]
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
O = Test Organization
OU = Test Organization Unit
CN = Test Organization Intermediate CA
This passes with 3.1.4 and can be checked:
openssl req -text -noout -verify -in /tmp/sssd-softhsm2-OuDCps/test-intermediate-CA-certificate-request.pem
Certificate request self-signature verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: O=Test Organization, OU=Test Organization Unit, CN=Test Organization Intermediate CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:f5:3d:f2:dd:c9:33:76:08:95:a5:be:fe:5e:
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
72:e5:f0:7e:c5:cc:5a:c5:99:42:88:57:86:0e:00:32:45:f0:
There is a testsuite in gdm3 doing this:
The test-intermediate-CA.config:
This passes with 3.1.4 and can be checked: