certtool doesn't generate a proper certificate request for an CA. $ certtool --generate-privkey > cacert.key Here is a template file: $ cat ca.info cn = Test CA ca cert_signing_key If you generate a self-signed certificate it works as expected and creates proper x509 extensions: $ certtool --generate-self-signed --load-privkey cacert.key --template ca.info --outfile cacert.pem X.509 Extensions: Basic Constraints: (critical) CA:TRUE Key usage: (critical) Certificate signing. But if you create a request for upstream CA to create an intermediate CA, this extensions are not requested: $ certtool --generate-request --load-privkey cacert.key --template ca.info --outfile cacert.req $ openssl req -in cacert.req -text -noout|grep CA:
Unfortunately GNUTLS library is missing support for adding extensions to the certificate requests. That means also the certtool cannot support them. Please use 'openssl req' tool to create intermediate CA cert requests. You can also report this feature request on the upstream bug tracker. https://savannah.gnu.org/support/?group=gnutls