Using the SSL Toolset the intermediate certificates are signed by the private key of the root certificate.
-
The first step is to create a Certificate Signing Request (CSR) for the intermediate certificate.
For the procedure, see Create a CSR for the intermediate certificate.
-
In the next step, you use the certificate signing tool and the private key of the root certificate to sign the intermediate certificate. Once signed, the certificate should be stored in a separate folder.
For the procedure, see Sign the intermediate certificate using the root certificate’s private key.
-
This step marries the signed certificate with its private key, which never left the Key Store. The green shield
indicates that the intermediate CA certificate has been signed.
-
In this step you export the root certificate without its private key. You will then import the root certificate into the Trust Store of each JACE.
The intermediate certificate (IntermCACert) does not need to be exported. It is used to sign server certificates and does not need to be imported into the any Trust Store. The only reason to export an intermediate certificate would be to back it up.
For the procedure, see Export the root and intermediate certificates.
In the Workbench Key Store, the root certificate always shows the caution shield 
. As the highest authority in the chain of trust, this certificate must be self-signed. For this reason, the root certificate
must be physically protected for the security system to provide any protection to the network.