I have an internal PKI with a shared root CA, and multiple intermediate CAs, how do I make anything issued by any intermediate CA to trust everything?

pki ssl certificate-authority

Solution 1:

I'm not sure if I understand your question correctly or if you get the concept right, but

  • Certificates don't trust each other - the TLS client instead trusts some certificate authorities and derives trust into server certificates from this.
  • A TLS client basically trusts every certificate issued by a trusted CA, as long as it matches expectations like not expired, matches subject etc. The TLS client must be able to build the trust chain though to the trusted CA. Therefore the TLS client needs to know the relevant intermediate certificate(s) which are usually send inside the TLS handshake.

Thus, if you want any client to trust any certificates no matter which intermediate CA was used, then a) the client needs to trust the root CA and b) the servers need to send the intermediate CAs during the TLS handshake in addition to the server certificate.

See also SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.

Related

Security issue with pg_hba.conf
Domain blocked by ISP
Http 500 internal server error on MVC3 deployment
Identifying saturated disks on CentOS 8
Change alias of Exchange Online mailbox
How to troubleshoot network flows across peered VPC
nftables mangling without NOTRACK: what can happen?
Why Spark writes Null in DeltaLake Table
How can I draw an array of objects inside another object in p5.js?
Take Average of an Array using Recursion
Firebase Upload missing required dSYMs Not Working
Tuples without dictionaries