Can I get a certificate from a root CA that I can then use to sign my own web server certificates? I would, if possible, use a signed certificate as an intermediate to sign other certs.
I know that I would have to configure my systems in a certain way with "my" intermediate certificate in order to supply information about the chain of trust to my clients.
Is this possible? Are root CAs willing to sign a certificate like this? Is it expensive?
BACKGROUND
I'm familiar with the basics of SSL as it pertains to securing web traffic over HTTP. I also have a basic understanding of the way the chain of trust works, in that web traffic is secured "by default" if you encrypt with a certificate that has a valid chain all the way back to a root CA, as determined by the browser/OS vendor.
I am also aware that many of the root CAs have begun signing certificates for end users (like me) with intermediate certificates. That may require a bit more setup on my end, but otherwise, those certificates will work fine. I guess this has to do with protecting their all-valuable private key for the CA and the disaster that it would be if i were ever compromised.
EXAMPLES
- https://www.microsoft.com
- https://www.sun.com
- https://ecomm.dell.com/myaccount/ga/login.aspx?c=us&cs=19&l=en&s=dhs
Now, we are definitely not the size of any of those organizations, but they seem to be doing something like this. It would definitely make the management of these certificates a lot more palatable, especially considering one way we are expanding the reach of our e-commerce platform.
Your question reads to me and to others as "How do I issue certificates to entities inside and outside of my organization that are trusted by arbitrary internet users?"
If that is your question than the answer is "You don't.". If it isn't, please clarify.
I also recommend reading "Windows Server 2008 PKI and Certificate Security by Brian Komar" and consider all of the various PKI scenarios for your applications. You don't need to use Microsoft's CA to get something out of the book.
A quick search shows that such things exist, but with the 'contact us for a quote' suggests it won't be cheap:
https://www.globalsign.com/en/certificate-authority-root-signing/
I make no claims about the company, but that page might give you terms to use to find other companies doing the same.
If you could do this, what's going to prevent Joe Malware from issuing a cert for www.microsoft.com and giving you his own "special" brand of updates through a DNS hijack?
FWIW, here's how to get your root certificate included by Microsoft in the OS:
http://technet.microsoft.com/en-us/library/cc751157.aspx
The requirements are pretty steep.
This is basically indistinguishable from becoming a reseller for that root CA, which almost certainly costs lot of effort and money to be. This is because, as Tim notes, you can make a valid certificate for any domain, which shouldn't be allowed unless you control that domain.
An alternative is RapidSSL's reseller program in which they do all the hard work and issue from their root CA.
Ask yourself these two questions:
If the answer is yes to 1, CAcert has solved your problem for you. If the answer to 2 is yes, look into the list of trusted root certificates shipped with OpenSSL, Firefox, IE and Safari and find one to sign your intermediary certificate.
I think what you'd be better off doing is getting a wildcard certificate from the CA, that way you can use the same certificate on any subdomain of your primary domain, but you can't issue certificates for anything else.
It is possible for a root CA to issue a certificate which makes it possible to issue other certificates, but only under a specific domain. They need to set basicConstraints/CA:true and nameConstraints/permitted;DNS.0=example.com
Then you are free to run your own CA and issue certificates like test.example.com (but not test.foobar.com) which in turn will be trusted by the public web. I don't know any root CA that provides this service, but it is indeed possible. If anyone stumbles upon such a provider, please let me know.
In addition to the link from Joe H, here is a link that actually works:
https://www.globalsign.com/en/certificate-authority-root-signing/
CA Root Signing is not cheap, but those things exist for larger enterprises.
I know this is an old post, but I was looking long and hard for something almost identical to this. Echoing from a few others posts... it is possible... all be it quite expensive and difficult to establish. This article is is a bit helpful in the "who does it" and the general "what's involved" ....
https://aboutssl.org/types-of-root-signing-certificates/
As for some extras that I've picked up from some scattered sources... some of the requirements are having "substantial equity" and "insurance"... of which I've found to be listed anywhere from $1M to $5M depending on the source. So, needless to say, this is not an option for a small business.
Additionally, I've seen posts stating that it will typically take close to a year to satisfy all the requirements and to jump through all the audit hoops. Furthermore, the ancillary costs involved with the entire process can range from $100k to +$1M depending on general contractor+legal+labor costs as well as how many bouts of audit you go through. So, again, not a venture for a small business.