Support for Intermediate certificates

[Spindel]

We should have support for intermediate certificates.

Currently that can be done by generating an intermediate, and using a different config file for each intermediate. Not very optimal.

Questions to ask:

• Should intermediates have the same key as the root or not?
• Should a client be allowed to request belonging to a certain intermediate via Subject?
• Should we indicate the intermediate in the subject?

Least visible changes would be to say no to the last two, and server-side assign intermediates to the client. A more visible version would be to change the OU to point at the named intermediate.

Suggested functions to add to the admin tools:

• Create intermediate
• Reject intermediate ( should also reject all signed children)
• List intermediate
• Assign CSR to intermediate (for future signing)

This change will require a new table in the database, and adjustment to models.

[Spindel]

Please poke holes here, @delreich @niligulmohar