In the Search Guard documentation for the online certificate generator, there is a section which describes signing node and client certificates with an intermediate CA, reasoning that if a data breach occurs, it is simple to revoke an intermediate CA certificate instead of revoking and regenerating the root CA certificate, and effectively the entire chain of trust.
When using the offline TLS generator, I’m trying to simulate revoking an intermediate certificate by deleting all certificates and keys in the output directory except for the root certificate and key. My assumption is that if I were to use the configuration YAML I originally used to create the certificates, it would recognize the existence of root certificate and key already, and proceed to creating a new intermediate CA certificate and key and then all the required node and client certificates and keys.
When I run sgtlstool.sh in this scenario, it outputs the error “out/my-test-ca.key” does already exist."
Why is this the case? Shouldn’t sgtlstool.sh create a new intermediate CA because the root CA already exists?