Is it possible to use a SSL certifcate as an intermediate CA certificate?

Question

I'm setting up a MITM test environment on Android and I need to forge fake certificates that are then presented to the applications. In order to achieve that, I need my CA to be among the Android's trusted ones, which means that I have to manually install my CA's certificate.

And I would like to avoid this particular step.

I was thinking of getting a proper (= buy) certificate, issued by GoDaddy or GeoTrust, which are both trusted by Android. But then I would have to use this certificate as an intermediate CA for the forged fake ones.

Is it possible? Are there any logical/practical restrictions I haven't taken into account?

Answer 1

This depends on the extensions set in the certificate and if the software correctly checks them. For example the Certificate Key Usage extensions specifies if the key may be used to sign other certificates. And the Certificate Basic Constraints extension specifies if the subject may act as a certification authority and how many levels of certificates may be below.

A normal SSL certificate should not have the necessary extensions to act as a CA certificate. This means your approach would most likely not work.