[CLUE-Tech] signing CA private key with another CA?

[David Anselmi]

I don't think private keys get signed.  When you sign a public key, the 
result is a certificate.  Seems that you already know how to do that.

There isn't any point to signing a private key.  You have one, it is 
only ever used by you.  If anyone else gets it, it is no good.

OTOH, public keys are signed to form a certificate as a way to connect 
an identity (like your server name) to the public key.

All you should need to do is issue a certificate for the new CA signed 
by the old CA.  Then use the new CA to issue certificates for other 
things.  Browsers et. al. will follow the chain of signatures to the top 
(the old CA) and all will be well.

It seems to be a good idea to use your root CA certificate to sign only 
other CA certificates (that are used to sign user/server certs).  It's 
been a while since I looked at the PKI details to remember all the reasons.

Dave