Creating sub certificates from a root certificate (SSL)

chrism2671 asked:

If I purchase a signed certificate for example.com, can I then produce sub-certificates for a.example.com and b.example.com?

These sub-certificates would have PEM files whose privacy cannot be assured.

Can I do this, maintaining the privacy of the root certificate while generating an unlimited number of disposable sub-certificates that would still be recognized as valid by the original signing authority?

My answer:


No, that won’t work.

In order to sign certificates you need your own certificate authority certificate. The certificates you purchase are signed by a certificate authority, but specifically marked as not being a certificate authority certificate.

Check the “Certificate Basic Constraints” in your certificate, and you will see that it “Is not a Certification Authority”.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.