ssl – Can I Be My Own Trusted CA via a Signed Intermediate Certificate?

certificatesslx509

Can I get a certificate from a root CA that I can then use to sign my own web server certificates? I would, if possible, use a signed certificate as an intermediate to sign other certs.

I know that I would have to configure my systems in a certain way with "my" intermediate certificate in order to supply information about the chain of trust to my clients.

Is this possible? Are root CAs willing to sign a certificate like this? Is it expensive?

BACKGROUND

I'm familiar with the basics of SSL as it pertains to securing web traffic over HTTP. I also have a basic understanding of the way the chain of trust works, in that web traffic is secured "by default" if you encrypt with a certificate that has a valid chain all the way back to a root CA, as determined by the browser/OS vendor.

I am also aware that many of the root CAs have begun signing certificates for end users (like me) with intermediate certificates. That may require a bit more setup on my end, but otherwise, those certificates will work fine. I guess this has to do with protecting their all-valuable private key for the CA and the disaster that it would be if i were ever compromised.

EXAMPLES

  1. https://www.microsoft.com
  2. https://www.sun.com
  3. https://ecomm.dell.com/myaccount/ga/login.aspx?c=us&cs=19&l=en&s=dhs

Now, we are definitely not the size of any of those organizations, but they seem to be doing something like this. It would definitely make the management of these certificates a lot more palatable, especially considering one way we are expanding the reach of our e-commerce platform.

Best Answer

Your question reads to me and to others as "How do I issue certificates to entities inside and outside of my organization that are trusted by arbitrary internet users?"

If that is your question than the answer is "You don't.". If it isn't, please clarify.

I also recommend reading "Windows Server 2008 PKI and Certificate Security by Brian Komar" and consider all of the various PKI scenarios for your applications. You don't need to use Microsoft's CA to get something out of the book.

Related Topic