I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate certificate authorities), and this root is trusted by all internal clients and servers.
For signing the client certificates, I want to create an intermediate that can do only that: signing client certificates. Specifically, I don't want it to be possible to sign server certificates with this intermediate (the reason being that the intermediate by necessity has to be on an online system, and I want to limit the possible damage in case it gets breached)
Is this even possible?
Best Answer
If you create the intermediate CA with only the client auth certificate EKU (1.3.6.1.5.5.7.3.2) then even if a template got altered to allow it to endorse server auth certificates they would fail a chain walk.
On Windows this would report an error with the leaf/EE certificate with status
CERT_TRUST_IS_NOT_VALID_FOR_USAGE(or, in .NET,X509ChainStatusFlags.NotValidForUsage).