How to generate intermediate and root cert from an existing leaf certificate?

Question

Now i have a X509 leaf certificate. From the certification path to see, there's a intermediate cert and a root cert in it.

I want to generate the intermediate cert(..CA- G3) and the root cert(VerSign). Currently, my way is to double click the intermediate one and then click "Copy to file.." to export it. Do same for the root one too. Is this way to correct to generate intermediate/root certs?

From my test result, it seems the generated root cert with wrong fingerprint. The fingerpring doesn't match the one on server side.

Anyone can help on how to generate intermediate/root certs correctly?

Answer 1

[supply the answer... , maybe this is an alternative approach to get all certs that the SSL server using]

To retrieve the ntermediate and root certs by OpenSSL command:

  openssl s_client -showcerts -connect [host]:[port]

Answer 2

You have fundamental misunderstanding of certificates and certificate chains.

CA and Root certificates are searched for and found, not generated.

Some certificates include location of their CA certificate in the body of the certificate (in special certificate extension). For others you need to look in your CA certificates storage (this is what Windows does). Sometimes chains are sent together with end-entity certificate (depending on data format). Finally, sometimes CA and Root are just not available.