Right Way to Implement Multiple Intermediate CAs in CFSSL

[awcator]

Hello,

I have a usecase where I need to set up multiple intermediate CAs signed by a single root CA. The goal is to expose these intermediate CAs as API endpoints to issue new leaf certificates. I'm wondering whether I need to run multiple instances of CFSSL or use the multirootCA binary for this purpose.

Additionally, if I opt for the multirootCA binary, I'd like to know whether I need to modify the config file and restart the multirootCA binary every time I create a new intermediate CA. Ideally, I'm seeking a setup similar to HashiCorp Vault PKI.

Any guidance or suggestions on how to achieve this would be greatly appreciated. Thank you!

I tried something like this in cfssl
root-ca-config.json

{
  "signing": {
    "default": {
      "expiry": "8760h",
    },
    "profiles": {
      "intermediateCA": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "8760h",
        "ca_constraint": {
          "is_ca": true
        }
      },
      "leafCertificateForCustomer1CA": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
	"expiry": "50h",
        "paths": {
          "private_key": "/path/to/customer1CA/key.pem",    # something like this possible?
          "certificate": "/path/to/customer1CA/cert.pem"      # If this is possible, how do I make it dynamic? assume a new issuing CA is created, I want to generate a leaf certificate from that, i don't want to reconfigure and restart the server 
        }
      }
    }
  }
}

[rafaelpirolla]

Did you ever manage do make this work?