Obtaining the intermediate certificate

[verement]

Hello,

I have some software that insists that the intermediate signing certificate be together with the root certificate in the trust store, and that the leaf certificate be by itself.

Currently, step ca certificate and step ca renew appear to bundle the leaf and intermediate certificates together. Is there a formal way to separate these?

Also, is there a way to obtain the intermediate certificate from the CA server without obtaining a leaf certificate? This would be helpful for provisioning client systems’ trust stores.

Thanks.

[maraino]

I don't think we have a command that only shows the intermediate, but it is possible to extract it using some shell commands.

For example, you can get it from the certificate of your ca, without creating a new leaf like this:

step certificate inspect --roots $(step path)/certs/root_ca.crt --format pem --bundle https://myca:9000 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; if (a==2) {print} }'