Are intermediate/subordinate CAs possible? Ed25519 error

[1MachineElf]

As https://github.com/slackhq/nebula/issues/111#issuecomment-1038097055 discusses, there seems to be a potential for Nebula to use subordinate/intermediary CAs.

The following quick test resulted in an error. If there is a correct way to do this, then can it please be shared here?

mkdir test && cd test mkdir root sub1 client1-1 cd root nebula-cert ca -name "Happy Tree Friends CA" -duration 26298h -out-key r_ca.key -out-crt r_ca.crt cd ../sub1 nebula-cert keygen -out-key s1_ca.key -out-pub s1_ca.pub cd ../root nebula-cert sign -name "Happy Tree Friends Subordinate CA 1" -ca-crt r_ca.crt -ca-key r_ca.key -in-pub ../sub1/s1_ca.pub -out-crt ../sub1/s1_ca.crt -duration 17532h -ip 192.168.192.168/24 cd ../client1-1 nebula-cert keygen -out-key c1-1.key -out-pub c1-1.pub cd ../sub1 nebula-cert sign -name "Client 1-1" -ca-crt s1_ca.crt -ca-key s1_ca.key -in-pub ../client1-1/c1-1.pub -out-crt ../client1-1/c1-1.crt -ip 192.168.192.169/24 Error: error while parsing ca-key: bytes did not contain a proper nebula Ed25519 private key banner

[brad-defined]

Nebula doesn't support certificate chains / intermediate certs, there are only roots and leafs. There is no signing a CA with another CA. It does support trusting multiple CA's, though. So, a host (whose cert can only be signed by 1 CA) will successfully handshake with a host signed by a different CA as long as each peer's CA is listed in their respective pki.ca configuration files.