Feature #10258


allow to sign CA

Added by Viktor Gurov about 3 years ago. Updated about 3 years ago.

Very Low
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


To create cross-signed intermediate CA,

This feature can be added to the page System / Certificate Manager / CAs / Edit -> Method list
in this way you can import a CA and then sign it with another CA in the system

Actions #1

Updated by Jim Pingle about 3 years ago

  • Priority changed from Normal to Very Low

What is the use case for this?

We used to allow something similar in the past but removed it several years ago (CA was offered as a type of certificate when creating entries on the certificate tab)

Adding this seems unnecessary and is likely to duplicate a lot of the functionality we already have on the certs tab for little benefit.

Actions #2

Updated by Jens Groh about 3 years ago

We could use that feature right now. We run multiple CA/intermediate CAs from our pfSense Clusters as we mostly need it there (besides few other places). We had multiple times that it would have been nice to have the ability to cross sign an intermediate CA from a new top level CA so to fade out the old top level in favor of the new top level CA. As we had a company rebranding, that issue has arrived again where now more than 20 intermediates are still signed against a top level CA that still has the old branding and info in it and can't be changed as we then would have to re-issue a new intermediate and new server/client certs for all customers. That's simply not possible in that scope.

So even if it's a low prio we'd be a happy customer of that.


Also available in: Atom PDF