Partially trusting somebody else’s Certificate Root (Cross sign)

So when I come to a customer it isn’t that unusual that they have a Certificate Authority that they use for internal systems. But I don’t want to install their CA as a trusted CA on my laptop. Who knows what they have been up to.

There are some kinks. Not all SSL implementations have support or care about nameConstraints that I am using. But luckily for me Windows does. So I have my own CA that I use to sign all my customers CA’s and limit them to domains I see fit.

So first of lets get openssl installed on your machine. Lets go to Shining Light Productions, now you might ask why not take it from the source OpenSSL. The reason is that OpenSSL does not distribute compiled versions, so you can get the source and compile or get it from Shining Light and be happy.

Now lets start with creating our own private CA and key. We will install this one on our machine as a Root CA. The key we need to keep if we want to sign other CA’s down the road. Also if anyone gets your key they can create fake certificates to trick you, so putting it on your homepage is a bad idea.

Putting it all together

I am creating a CA that lives for 10 years. Not really needed but why not. I installed my binaries in the root of the C drive, but just change the path as required. I’m going to create a folder to work within first.

Congratulations you do now have a new CA certificate and a key. Lets download a CA that we want to restrict and put it the same folder. If the file isn’t in PEM format you need to add -inform der. So for this I decided just to play with Googles CA, It might not be a smart thing to do this as you can break things signed by them. I downloaded giag2.crt from Now lets create the file that will help us. I am calling it nameCons-google.cfg and placing it in the same folder.

And now to create the cross signed intermediate certificate. This will create a signed version by your root CA that allows only some domains.

You will get some warnings with the google certificate. But I haven’t seen that with my customers certificates. Now we have a brand spanking certificate that limits what that issuer can do.

So now if we install this root certificate and the newly created intermediate in my machine. Windows will start limiting things signed by this certificate to the domains.

So if we want more domains or excluding some domains. Lets do the same with other google domains. Just add them at the end with extra permitted or excluded sections.

You can even add other types as IP or dirName. Almost all SubjectAltName directives are usable, with the exception of mail. Leaving with a nameCons that dows both an IP and DirName.

Now remember.. You need to install both your Root Certificate AND the cross signed root certificate.

Leave a Reply