Intermediate CA certificate in Java keystore

Question

My Dev OPs team would like to make use of an Intermediate CA certificate in our Java keystore. I believe adding an intermediate certificate into the keystore is the same process as as adding a "regular cert", correct? Are there any "gotchas" I need to be aware of? Also, how do I verify in testing that Java is using the intermediate cert as opposed to checking back with the CA?

Answer 1

You need to reason in terms of certificate chain. The goal of intermediate CA certificates is to let the remote party build a chain between the End-Entity Certificate (e.g. the server or the client certificate itself) and another CA certificate further up the chain.

If you're talking about importing this intermediate CA certificate into a keystore that will be used as a truststore, whether that CA certificate is an intermediate one or a "root" CA certificate doesn't really matter: it will become a trusted anchor like another for the application using that truststore.

If you're talking about a keystore used as a keystore, you need to make sure your EEC will be presented along with the correct chain.

For example, let's assume CA_1 issues the cert for CA_2, which issues the cert for server S. Your clients have cert CA_1 in their trusted anchors (but not necessarily CA_2): you'll need to present a chain "S, CA_2", so that they can verify the chain via CA_2 (otherwise, they wouldn't know how to link CA_1 to S).

To do so, you need to make sure the entry for S and its private key contains the chain it needs to send (S, CA_2), not just certificate S. Importing CA_2 in a separate entry in your keystore will not make the JSSE build the chain for you when presenting certificate S.

How to do so is described in this answer (although this was from a client-cert point of view).

Answer 2

To answer your questions in order:

I believe adding an intermediate certificate into the keystore is the same process as as adding a "regular cert", correct?

Yes. For example, see this VMWare documentation on installing intermediate CA's.

Are there any "gotchas" I need to be aware of?

Only that every intermediate CA needs it's own alias.

Also, how do I verify in testing that Java is using the intermediate cert as opposed to checking back with the CA?

If you just want to verify that it does not check the root CA, then just don't install it, and you know that it can't be used.

Update: In response to the comment from @Bruno, it is fair to point out that this answer only addresses the issues raised in the question. I am assuming here that the issues around trust and certificate distribution, the normal reasons for having intermediate CA's in the first place, have been dealt with, and that this is the desired solution. For more information on those issues, you should look at Bruno's answer.