I have an internal PKI with a shared root CA, and multiple intermediate CAs, how do I make anything issued by any intermediate CA to trust everything?
Solution 1:
I'm not sure if I understand your question correctly or if you get the concept right, but
- Certificates don't trust each other - the TLS client instead trusts some certificate authorities and derives trust into server certificates from this.
- A TLS client basically trusts every certificate issued by a trusted CA, as long as it matches expectations like not expired, matches subject etc. The TLS client must be able to build the trust chain though to the trusted CA. Therefore the TLS client needs to know the relevant intermediate certificate(s) which are usually send inside the TLS handshake.
Thus, if you want any client to trust any certificates no matter which intermediate CA was used, then a) the client needs to trust the root CA and b) the servers need to send the intermediate CAs during the TLS handshake in addition to the server certificate.
See also SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.