Signing my intermediate CA


we will sign server certificates with the certificate of the Intermediate CA in Vault. The certificate of the intermediate CA have to be signed by our department that manages the root CA with a Windows CA. So following this documentation ( I run

Step 1, 1-4
Step 2, 1-3
But instead executing Step 4, I gave the windows CA department the csr and got a signed certificate back:
[ ~]# cat intermediate.cert.pem | openssl x509 -text -noout
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=org, DC=adminroot, CN=ADMINROOT Root CA
Not Before: Dec 9 08:45:32 2020 GMT
Not After : Dec 9 08:55:32 2025 GMT
Subject: Intermediate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

But with this signed certificate, Step 2,5 fails:
[ ~]# vault write pki_int/intermediate/set-signed certificate=@ intermediate.cert.pem
Error writing data to pki_int/intermediate/set-signed: Error making API request.

Code: 400. Errors:

* the given certificate is not marked for CA use and cannot be used with this backend

No surprice: If I sign the csr with the own Root CA in Vault the import works. But this is not what we need. The Root CA should remain with the windows CA department. There CA should sign the Intermediate Certificate in Vault. But how?

Thanks for any hint!

Hi @MichaelRenner,

the department that was suppsed to create the intermediate CA certificate created a certificate that isn’t a CA.

You can verify with the command you used before:

If the certificate is a CA, the output will indicate the certificate is allowed to be used as CA:

X509v3 Basic Constraints: critical

I suspect “CA:TRUE” is missing, therefore it’s not allowed to be used as CA.


Take a look at this topic, I believe it’s the same issue: Error setting up intermediate CA - #5 by nicklunt

1 Like