Sometimes you need to repurpose things for some use case that wasn't 
considered during original setup. Say you've got that cert installed on 20 
unmanaged laptops spread around the country/world and a new requirement 
comes up where an intermediate makes sense (for example, you want to issue 
device or user certs from another location,  ut don't want to give it the 
original CA key) - you'd be very happy not to have the restriction.


It's just a ca. There's nothing specific to iked/ikectl here.


If there was something that restricting this further actually helped then 
maybe it would be worth losing that flexibility, but I'm not seeing it.

-- 
  Sent from a phone, apologies for poor formatting.

On 29 January 2025 21:55:00 Lloyd <ng2d68@proton.me> wrote:

> Stuart Henderson wrote:
>
>> What's the benefit? I do see a downside to changing this.
>
> It's more for correctness than anything. I don't see a use case
> where the builtin ikectl CA would issue intermediate certificates
> and issue end-entity certificates at the same level.
>
> For complex two-tier PKI you are installing your own certs into
> iked and not using the builtin CA.