Intermediate CA Creation issues with Godaddy Key



  • Greetings,

    I'm trying to create an intermediate CA and I have a Godaddy Cert & Key.  Filled out the information and get this error:

    openssl library returns: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    What am I missing?

    Dino


  • LAYER 8 Netgate

    What are you trying to do?

    You can't create an intermediate CA from a cert received from an issuer like Godaddy.  If you got a godaddy cert with the Certificate Authority bits flipped, it's probably worth millions to the right people.



  • Sorry.  Totally didn't say that correctly

    We have a wild card cert purchased from Godaddy for our company.  I would to create an intermediate CA off of that so certs I create within my company will validate back to Godaddy essentially adding us to the chain.

    So  Godaddy -> my company -> my certs.  Essentially our own internal intermediate CA

    We are creating OpenVPN users with certs and the boss would like those certs authenticated back through us to godaddy.

    I'm assuming it can't be done but thought I would ask.

    Thanks for posting!


  • LAYER 8 Global Moderator

    "I would to create an intermediate CA off of that so certs I create within my company will validate back to Godaddy essentially adding us to the chain"

    It doesn't work that way…


  • LAYER 8 Netgate

    Your boss needs a primer in PKI.



  • @dbennett:

    We have a wild card cert purchased from Godaddy for our company.  I would to create an intermediate CA off of that so certs I create within my company will validate back to Godaddy essentially adding us to the chain.

    So  Godaddy -> my company -> my certs.  Essentially our own internal intermediate CA

    We are creating OpenVPN users with certs and the boss would like those certs authenticated back through us to godaddy.

    I'm assuming it can't be done but thought I would ask.

    As johnpoz says, you won't be able to do this. There will be a flag in the Godaddy certificate that says 'cannot act as a CA'. Even if you forcibly sign your CA certificate with the Godaddy certificate, the signature will not act as part of a valid CA chain.

    It is sometimes possible to get a CA certificate signed by a CA certificate in the public roots, but they come with considerable security requirements (typically including storage in an HSM), are for a limited range of uses and are extremely expensive. Most CAs never issued these certificates and those that do issue them may well insist on retaining physical control of the certificate and using it to sign objects at your request so that they can ensure the security and usage limitations are respected.

    Issuing user certificates would almost certainly be outside the usage scenarios for a CA certificate signed by a public root even if you did possess one. Typically, you cannot use an intermediate certificate to do anything other than issue server certificates for DNS names. As you can get server certificates chaining to a public root for addresses in the public DNS for free thanks to StartSSL and most people never look at the contents of a certificate, having your own CA that chains to a public root is of limited value.

    Your boss needs to understand what is being asserted and by whom. In the case of a VPN user certificate (or user certificate for a Windows domain), the assertion is that user X is a member of your organisation and is potentially entitled to use its resources, which is rightly made by a CA controlled by user X. There is no need for the CA making that assertion to chain to a public root as no member of the public will be relying on the assertion in the user certificate.


Log in to reply