openssl second ca

You can find the default openssl folders and files by looking here: openssl default folder and files

Check out the openssl.cnf file to see the default CA settings:

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
[output omitted]

We can add the settings for a second CA here. For example:

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_second ]

dir             = ./demoCAsecond              # Where everything is kept
private_key     = $dir/private/cakey2.pem# The private key

####################################################################
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
[output omitted]

I only added the dir and private_key which is enough to demonstrate that we can use a second CA. Save the file, then specify it like this:

openssl ca -name CA_second
Using configuration from /usr/lib/ssl/openssl.cnf
Could not open file or uri for loading CA private key from ./demoCAsecond/private/cakey2.pem

It gives an error about the cakey2.pem file because I didn't create it yet but this proves that it uses the configuration for the second CA.