Can I restrict an intermediate CA to only sign client certificates?

I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate certificate authorities), and this root is trusted by all internal clients and servers.

For signing the client certificates, I want to create an intermediate that can do only that: signing client certificates. Specifically, I don't want it to be possible to sign server certificates with this intermediate (the reason being that the intermediate by necessity has to be on an online system, and I want to limit the possible damage in case it gets breached)

Is this even possible?


If you create the intermediate CA with only the client auth certificate EKU (1.3.6.1.5.5.7.3.2) then even if a template got altered to allow it to endorse server auth certificates they would fail a chain walk.

On Windows this would report an error with the leaf/EE certificate with status CERT_TRUST_IS_NOT_VALID_FOR_USAGE (or, in .NET, X509ChainStatusFlags.NotValidForUsage).


With AD integrated CAs you can specify the Certificate Templates, which a CA is allowed to issue. So, yes you can.

But note: Certificate Templates are stored in Forest Root. Thus the Forest Root admin can change the available certificate templates! The domain admin or local admin of the sub CA can change the templates provided by the sub CA. Thus you should in addition set the access rights on the templates accordingly.