Per B4CKSP4CE CA policy, each intermediate CA should have strict Name Constraints. It means that every intermediate CA should be able to issue certificates only for a specific subset of resources.
First of all, determine a list of resources that the new CA should be able to issue certificates for. It can be:
project.example.com*.example.comLet’s say I want to set up a CA for internal SIP telephony service:
*.sip.bksp.in domain.So the Name Constraints for the new CA will be:
permitted;DNS:.sip.bksp.inpermitted;DNS:sip.bksp.dn42Resulting in the following nameConstraints attribute:
nameConstraints=permitted;DNS:.sip.bksp.in, permitted;DNS:sip.bksp.dn42
Token -> Manage Security Token. You should see contents of your Yubikey.Certificates tab, click on New Certificate.Use this Certificate for Signing is checked, and Root CA is selected.Intermediate CA as a template, click Apply all.Subject tab, fill the Internal Name field with the name of the new CA. Let’s call it SIP S1.Common Name field, enter B4CSKP4CE S1.Generate a new key. Set name to SIP S1, key type to EC and curve to secp384r1.Create.Extensions tab.Time range field value. You should aim at minimum reasonable value for your case. Max value is 15 years. Click on Apply.CRL distribution point field URI. Set it to https://ca.bksp.in/s1/revoke.crl.Advanced tab.Edit and paste the nameConstraints attribute we’ve built before.OK to sign the certificate.public folder of this repo. Name it after your CA code, e.g. s1.public/s1/bksp-s1.pem file.Revocation List tab. Set time range to 1 year, click on Apply.public/s1/revoke.crl file.public/s1 directory, run openssl x509 -text -in bksp-s1.pem > bksp-s1.txt to create a human-readable certificate dump.README.md Intermediate CAs list.