Generate subdomain certificate from valid wildcard certificate

Giving the nature of SSL certificates and keys which can be chained, can I (myself) generate a certificate for a subdomain based on the main domain certificate and key which are issued for wildcard subdomains?

The practice here is that I have to setup a new completely different and remote (physically) server for just one subdomain and I want to minimize the risk of the main certificate and keys being jacked, just in case.

can I do this with openssl utility providing my main domain, wildcard cert and keys or should be resigned by the CA again? If can, how?

Thanks

Solution 1:

First, I agree that it's a bad idea to spread wildcard certificates around. Best practice is to use either separate certificates (when the domains live on different servers or virtual hosts), or SAN certificates (when they all live in the same place).

However, you shouldn't be able to use your existing certificate to sign a sub-domain's certificate. SSL certificates are normally issued with a restriction on how they can be used. If you run openssl x509 -in /path/to/cert.pem -noout -text, you will see a part looking like

        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication

This means that the certificate can only be used to authenticate a web server or client. It can not be used to sign other certificates (or, at least, no client will trust a certificate signed by this one).

The reason why you can't do this is that there is currently no way for a CA to issue a certificate that can be used to sign other certificates within a given domain only. Therefore, if a trusted CA was to give you a certificate that you could use to sign other certificates, they would in effect give you the ability to impersonate any other site on the internet. This would be bad and that's why they don't do it.