Easyrsa intermediate
Jump to navigation
Jump to search
I have found another, more elegant solution (I suspect this is how it was designed). Setup two separate Easy-RSA installations. Initialise and build a CA as normal on the first one (lets call it RootCA). Initialise the second one, but build CA with the subca option (lets call it IntCA). When a a subca is built, no certificate is generated, only a request is generated. Import this request (IntCA/pki/reqs/ca.req) into RootCA. Sign the IntCA request imported into RootCA, as the root CA. This will generate the certificate (RootCA/pki/issued/IntCA.crt). Copy the IntCA.cert file to the IntCA setup at IntCA/pki/ca.crt. Now you can use IntCA for all your mainstream activities and lock away the RootCA until the IntCA needs to be managed (renewed, revoked, etc.). Just ensure that you are always within the IntCA directory when issuing ./easyrsa commands. Better still use full paths to avoid using the root CA by mistake.