I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" <jmagne(a)redhat.com&gt; To: "Michelle Taggart" <mdemansana(a)philasd.org&gt; Cc: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 2:18:23 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute You could go into the directory /var/lib/pki-ca/profiles/ca Find the profile you want to clone, which is in a file XXXX.cfg Copy that file to a new name that you want. Put an entry for that new profile in the conf/CS.cfg file under the heading: profiles.list Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. ----- Original Message ----- From: "Michelle Taggart" <mdemansana(a)philasd.org&gt; To: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 10:38:38 AM Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

I believe alee and those guys in irc were steering you right. The existing profile "caCACert" should be what you want, a CA cert signed by the current/root CA. The cert should have the right extensions to be a CA cert for a sub CA. If you want to add other things, you can go into the console and make minor mods to that profile. The console allows you to add different types of extensions to the cert profile. ----- Original Message ----- From: "Michelle Taggart" <mdemansana(a)philasd.org&gt; To: "John Magne" <jmagne(a)redhat.com&gt; Cc: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 1:53:52 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute This might sound confusing, so let me rephrase. Is there an existing template to create a subordinate CA certificate? If not, is there a cheatsheet on creating one? I am able to get to the pkiconsole piece to create a new profile, but I'm hoping that I don't have to create one because truthfully that piece is starting to become way over my head. ;) Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Michelle Taggart" <mdemansana(a)philasd.org&gt; To: "John Magne" <jmagne(a)redhat.com&gt; Cc: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 3:24:12 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute I do see that. What I'm confused is to what bits or attributes within the profile I need to include/exclude/add in order to make the sample Server Cert profile to also do CA function. Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "John Magne" <jmagne(a)redhat.com&gt; To: "Michelle Taggart" <mdemansana(a)philasd.org&gt; Cc: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 2:18:23 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute You could go into the directory /var/lib/pki-ca/profiles/ca Find the profile you want to clone, which is in a file XXXX.cfg Copy that file to a new name that you want. Put an entry for that new profile in the conf/CS.cfg file under the heading: profiles.list Then you could either manually edit this file if you know how to, or use the pkiconsole to add stuff to it. In order for the console to be able to edit a profile, it must be marked as "disabled" in the agent web interface. ----- Original Message ----- From: "Michelle Taggart" <mdemansana(a)philasd.org&gt; To: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 10:38:38 AM Subject: [Pki-users] Creation of a server certificate with an itermediary CA attribute Hi, I'm quite new at the concept, but is there a way to clone a server certificate profile and give it an intermediary CA attribute? I'm trying to generate a cert that a proxy server uses to decrypt SSL traffic. The CSR that the proxy creates requests for a server certificate with subCA ability, for issuing certificates. Thanks, Michelle T _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

This is extremely helpful. I was able to make the profile work, I actually had to make a custom profile, but no other specifics required. Thank you so much for the expedient help. I'm hoping that in the future I can help and contribute in this project! :) Thanks, Michelle Taggart x5166 ----- Original Message ----- From: "Christina Fu" <cfu(a)redhat.com&gt; To: pki-users(a)redhat.com Sent: Tuesday, July 23, 2013 7:43:00 PM Subject: Re: [Pki-users] Creation of a server certificate with an itermediary CA attribute What defines the characteristics of a certificate is in the Extensions. The profile caCACert.cfg defines a generic CA cert which contains the necessary Extensions such as Basic Constraints, Subject Key Identifier, key usage and extended key usage etc. for a CA. The profile caServerCert.cfg defines a generic SSL server cert which contains the necessary key usage and extended key usage etc. for an SSL server cert. Technically, if you take the union of the two profiles in terms of the key and extended key usage, you come up with a CA cert that can act as an SSL server cert. RFC 5280 contains more detail on which bits should or should not go with which if you are interested in learning more. Also, intermediate CA or not, the profile should be the same, unless the Path Length Constraint in Basic Constraints matters to you, though which should be calculated for you if not unlimited. Christina On 07/23/2013 01:53 PM, Taggart, Michelle wrote: _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users