I guess we need to agree to disagree.
Perhaps and, after all, it doesn't really matter. Goal is that it works for you.
My initial point was not to get an agreement but to clear up some potential misconception
Do a web search on the definition of intermediate vs root certificate authority..... I explained the difference earlier in the post. This is where I am coming from.
I'm afraid you will have to explain again because I still don't understand this. The keyword here is not
certificate but
authority.
I don't need Google to understand (well to think I understand) certificates as I'm an old X509 and OpenSSL user
Let me try to explain again with more technical detail. In the meantime, feel free to provide me with URL explaining difference between "
leaf certificate" and intermediate "
certificate authority".
BTW I think (hope) you already understand the difference now as your last post says:
Do a web search on the definition of intermediate vs root certificate authority
meaning this is clear to you that intermediate should only apply to authorities, while the previous post said:
Anything else you create after that will be an intermediate certificate which requires a certificate authority to validate
which is to me, if not wrong, at least the misleading statement.
Although everything is feasible especially if you don't follow X509
v3, the technical difference between "basic" certificate and "certificate authority" is the fact that authority embeds "basicConstraints=CA:TRUE" showing that such certificate is granted for CSR signature and certificate signing while, on the other hand, leaf certificates (that are therefore not "intermediates"
) inherit from constraints like "extended key usage" to specify what can (should) be done with this certificate.
Like LDAP, X509 inherits from X500 naming convention, thus let me take this analogy that may help to understand.
In LDAP, there is technically no difference between branches and entries attached to this branch. Does it mean that you would happily add password attribute to ou=users,dc=whatever in order to permit someone or application to authenticate with this entry? I don't think so...
this LDAP entry in as branch to which leaf entries are attached.
X509 works more or less the same way, at least until they issued X509v3 because this "certificate usage" concept was misunderstood and misused.
So back to our initial point:
- what is intermediate is the authority, not the leaf certificate. This looks obvious to me when expressed this way
If this is clear to you too and if you agree, then we are on the same track. If not, your welcome with any URL explaining the opposite
and, as you rightly say, we can just agree to disagree
The good news is that it solves the problem...
Sure, anything else doesn't really matter