How to Generate Root & Intermediate CAs

Eytan Raphaely Education

How to Generate Root & Intermediate CAs

A proper PKI allows your network to utilize certificate-based authentication. Root CAs and Intermediate CAs are both parts of the SSL chain that make these certificate-based networks effective.

This article will explain why they’re important, the difference between the two, and how you can easily generate and manage them using Secure W2’s PKI.

What is a Root CA?

A Root CA is just that, the root of the trust model that upholds the SSL chain. It is a type of certificate authority that can be used to issue other certificates, which means it is imperative that Root CA is secure and trusted.

Root certificates are established by a trusted root CA and most browsers and applications come with pre-installed root stores. These are based on the OS that your device is using. Google, Microsoft, and Apple all have their own, each with stringent guidelines.

What is an Intermediate CA?

Certificate authorities rarely sign certificates using the root CA directly. They are too valuable and need to be secured at all costs. Instead, they put one or more levels of separation between themselves and the client by creating intermediate certificate authorities.

An Intermediate CA is also a trusted CA and is used as a chain between the root CA and the client certificate that the user enrolls for. Because the trusted root CA has signed off on the intermediate CA, it is treated as trusted as well. 

SecureW2’s PKI always uses the intermediate CA to generate client certificates for Wi-Fi authentication, as is the standard practice. SecureW2’s intermediate CA is nearly impenetrable due to the high level encryption used for the private keys and the protection gained from the HSM, ensuring you have the highest level of security possible.

Generating Certificate Authorities

While it’s possible to create your own certificate authorities, the process is much less straightforward than creating one with an easy-to-use management system. The process is also different depending on the OS you are using. For example, for MacOS: 

  1. Open a Command Console
  2. Enter openssl genrsa -des3 -out myCA.key 2048
  3. When prompted, enter your passphrase
  4. Generate a Root CA by entering openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem 
  5. Enter in answers regarding Name, Location, State, Organization, etc.

After this process, you need to install your Root CA on all devices that access your network. This can be a daunting task, especially for organizations of larger sizes. It also offers no mechanisms for certificate revocation and management. 

Luckily, SecureW2 offers an alternative solution that contains everything an organization would need to generate Private Certificate Authorities for internal applications like Wi-Fi, VPN, Web Apps, and a host of other applications.

Generating Certificate Authorities Easily with SecureW2

Many organizations find generating and managing certificates to be a major hassle, however SecureW2’s PKI comes with a state of the art management system that allows certificates to be handled with ease. Here’s how to create certificate authorities with SecureW2:

Root CA:

  1. Under PKI Management select Certificate Authorities
  2. Select Add Certificate Authority
  3. Choose Root CA under Type
  4. Choose a name and Save

Intermediate CA:

  1. Under PKI Management select Certificate Authorities
  2. Select Add Certificate Authority
  3. Choose Intermediate CA under Type
  4. Select the corresponding Root CA under Certificate Authority
  5. Choose your desired setting under Generate Via 
    1. Internal System: The intermediate CA private key and certificate is stored in the cloud. This CA can then be used in the Enrollment policy to sign client certificates
    2. Certificate Signing Request: Allows administrators to upload a Certificate Signing Request and then get it signed by the Root CA
    3. Browser: The intermediate CA private key and certificate are not stored in the cloud portal, and are allowed to be downloaded. This CA cannot be used for device enrollment and will be used for SSL inspection
  6. Choose a name and expiration date then save

SecureW2’s PKI allows you to manage and create CAs in a matter of minutes. The ability to fully take hold of your network security is an invaluable tool, and should be taken advantage of. SecureW2 offers affordable options for organizations of all shapes and sizes, so click here to inquire about pricing.

 


Learn About This Author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.