Archived TD0391: Intermediate certificate requirements
The Test Assurance Activity for FIA_X509_EXT.1.1 states "The evaluator shall create a chain of at least four certificates: the node certificate to be tested, two Intermediate CAs, and the self-signed Root CA." The SFR itself does not require two intermediate CAs, and having multiple intermediate CAs does not provide additonal security.
The introductory paragraph for the Test Assurance Activity shall be modified as follows:
The tests described must be performed in conjunction with the other certificate services assurance activities, including each of the functions in FIA_X509_EXT.2.1. The tests for the extendedKeyUsage rules are performed in conjunction with the uses that require those rules. The evaluator shall create a chain of at least four three certificates: the node certificate to be tested, two an Intermediate CAs, and the self-signed Root CA.
There must be at least one intermediate CA because the self-signed root CA should not be issuing certs.