Create Intermediate CA Certificates

You can create intermediate certificates using a root certificate.

Create a root CA certificate and its key. For more information, see Create a Root CA Certificate.

Create an OpenSSL configuration file called ca_intermediate.cnf for the creation of the intermediate CA certificates.
It is similar to ca_root.cnf, but the policy setting in the [CA_default] section and the names and locations of the key and certificate are different.
Generate the private key using a strong encryption algorithm such as 4096-bit AES256. For more information, see Generate a Private Key for Use with Certificates .
For example:
```
openssl genrsa -aes256 -out ca_intermediate.key 4096
```
When prompted for a pass phrase, use a strong one.
Note: Keep this key secure! If it is compromised, malicious users can make fake certificates that are not distinguishable from real ones, although the consequences are less severe than if the key of the root CA certificate is compromised.

Create a signing request. An intermediate CA certificate must be signed by the root CA certificate:

openssl req -config ca_intermediate.cnf \
            -new -sha256 \
            -key ca_intermediate.key \
            -out ca_intermediate.csr

Sign the intermediate signing request with the root CA certificate.
It should also be valid for a significant time, but not as long as the root CA certificate, say 10 years:
```
openssl ca -config ca_root.cnf \
           -extensions v3_intermediate_ca \
           -days 3653 -notext -md sha256 \
           -in ca_intermediate.csr \
           -out ca_intermediate.crt
```
You now have an intermediate CA certificate.

Both the root certificate and intermediate certificate must be made available to anyone that must verify the certificates. They constitute a chain of trust that ensures the authenticity of the certificate owner.

You can make them available as separate CA certificates in your trust store, or you can concatenate them into one file and make this file available.