Step CA as a Sub-CA (existing root CA) considerations with Intermediates

[fibbs]

Hi folks,

I am still somewhat new to step-ca and I love it a lot!

One thing I have been wondering without really finding an easy answer is, how would one handle a step-ca as a sub-CA of an existing one (like an existing Microsoft CA in an organisation): Step-ca, as far as I have learned, ALWAYS deploys with a root certificate and an intermediate, and also as far as I have learned, it will always send out the Leaf Certificate plus the one that issued the certificate (the intermediate) when issuing certificates using ACME or whatever method.

Now, let's imagine we have step-ca as sub of another CA, then I would have to have my, say web servers using step-cas certificates, present a chain of the leaf, step-ca's intermediate, and step-ca's root, as other clients would be trusting the "upper level" root certificate. Is that possible at all?

It seems it all comes down to whether a setup without an intermediate would actually be possible, plus whether it is configurable to hand out the root cert itself. If we think about even more complex scenarios, where, lets assume, a step CA is the root CA of an organisation, then we have a sub CA for the department of whatever, and they use a sub CA for their machine certificates, and one for the web services, or something like this.... I suppose it would be quite difficult to handle the "Root CA -> Intermediate of the Root CA -> actual Sub CA's root -> Sub-CA's Intermediate -> Leaf chain.

Looking for some enlightenment here :-)

Thanks a lot in advance.

[tashian]

I'm happy to answer specific questions about using step-ca as a sub-CA.
But, before I do, have you seen our tutorial for this?