If I purchase a signed certificate for
example.com, can I then produce sub-certificates for
These sub-certificates would have PEM files whose privacy cannot be assured.
Can I do this, maintaining the privacy of the root certificate while generating an unlimited number of disposable sub-certificates that would still be recognized as valid by the original signing authority?
No, that won’t work.
In order to sign certificates you need your own certificate authority certificate. The certificates you purchase are signed by a certificate authority, but specifically marked as not being a certificate authority certificate.
Check the “Certificate Basic Constraints” in your certificate, and you will see that it “Is not a Certification Authority”.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.