Signing certificate with another certificate signed by CA

Question

Is it possible to sign a new certificate using a certificate signed by a CA as the CA for other certificates and still have them validated by the root CA?

Example:

Answer 1

Why is it not possible to do this?

mti2935 had a good answer. To summarize, it breaks the trust model under most circumstances.

---

I tried using this new cert for a service and the browser complains that the certificate lacks CA chain.

Install the signing certificate in the "Trusted Certificate" store.

---

Basically I want to use one certificate that is signed for the domain and create new certificates for subdomains using domain certificate as CA for the subdomains.

Will there be a unique certificate for each subdomain, or will there be one certificate with all subdomains list in the Subject Alternate Name?

The former is doable - you just buy a new certificate for each subdomain. The later is a little more difficult, but not impossible.

To do the latter, you typically use an subordinate root or intermediate that allows you to mint end-entity certificates as you need them. If you are running your own private PKI, then you can do it. In the private PKI case, you tell your users to install your trust anchor (or "CA root") in their "Trusted Certificate" store.

If you want to avoid browser warnings and the like without requiring a user to install your trusted root, then you need to get it touch with folks like Trustwave. They have sold these types of certificates in the past. More correctly, they put the private key in hardware so the appliance could be sold for a higher price and the private key could not be copied. See, for example, Trustwave admits issuing man-in-the-middle digital certificate.

---

How is this process designed to work?

It depends on the use case. PKI is PKI and any introductory book will lay out the concepts. But a private PKI has a different model than the browsers because they are different use cases.