We're trying to set up OpenDirectory. It seems to want to create its own CA, and then an intermediate CA with a certificate signed by its own CA. I'd prefer to generate an intermediate CA certificate from our existing internal CA and have it use that instead. This would have several benefits (existing CA cert is already distributed to machines, so no need to click to trust new certs when joining client to OD, for starters).
However, I can't find any config for this certificate, nor any reference to any other way of doing it.
Is this a reasonable thing to try to do, and if so how do I do it?
Since I see nobody has answered this question... it seems that yes, this is a reasonable thing to do, and so long as you match the fields used in the automatically-generated certificate, it works. It's been a long time since I fixed this now, so I can't remember all the details. The one thing I do remember is that at that time, OpenDirectory would refuse to work with a certificate that had a 128-bit serial number. OS X Server 5.0 is the first version in which this is apparently likely fixed.
I have an OpenSSL config that works for this purpose, which I will try to sanitize to the point that it can be posted here if there is demand.
Red Kestrel's certificate decoder (at https://certlogik.com/decoder/ - other useful stuff at http://redkestrel.co.uk) was extremely helpful in working out what the actual config required might be, and in identifying the problem with the serial field.