14

I work at government organization. We would like to become Intermediate CA so that we can provide SSL certificates to our branch organizations. We must be able to do code signing, green address bar etc,. I heard that we can be intermediate CA provided that we prove our identity because we are governmental organization. Where do I contact for inquiry? And what document do I need to provide in order to be Intermediate CA?

Thanks in advance.

babuuz
  • 141
  • 1
  • 1
  • 3
  • If your end users are your branch organizations, then you can install your CA cert on their machines. If you want to create certificates "for your branch organizations" to serve to the rest of the world, then you need to sign up with a CA. – ndrix Jun 25 '14 at 04:58
  • What country? Different countries will have different programs to participate in a government CA infrastructure. – PwdRsch Jun 25 '14 at 15:34
  • @PwdRsch Mongolia – babuuz Jun 26 '14 at 09:49
  • @m1ke How to sign up with a world-known CA? It is in Mongolia. – babuuz Jul 08 '14 at 05:24

2 Answers2

8

To become an intermediate CA you must find a CA who is willing to deal with you. But, it is not possible to restrict the domains an intermediate CA can deal with, so any intermediate CA is as trusted as the CA who signed it and can issue any certificates it wants. Therefore you will probably not find any CA which will sell you the intermediate CA you want.

See also https://serverfault.com/questions/605643/getting-an-intermediate-ssl-certificate for a similar question.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Name constraints would be easily done, no? – StackExchange User Sep 13 '14 at 01:40
  • @IanCarroll: support for name constraints have to be put into any client (browser, libraries...) which deals with certificates. Given the variety of clients and the amount of no longer supported clients (like IE6) this is definitely not easily done. – Steffen Ullrich Sep 13 '14 at 02:06
  • There are CAs whom will do this (at least there were 15 years ago when I researched the matter) - however they will expect **massive** payment and extensive auditing of your service before they will grant you certificate-signing certificate. OTOH a wildcard certificate can be had for around $500(US)/annum (then you need to funnel the traffic through a managed POP) – symcbean Dec 27 '16 at 23:45
  • @symcbean "tunnel" you mean? – Madhuchhanda Mandal Sep 18 '19 at 17:02
  • 1
    no, I still mean funnel. – symcbean Sep 18 '19 at 17:20
0

This depends greatly upon which "government organization" you work for. Most of the answers here are assuming a commercial SSL. Some government organizations allow that, but most require a .gov or .mil domain. So those will not work. Each government organization has their own regulations. Typically, your parent organization will need to authorize you to have an Intermediate CA and may be the one to issue it to you. Perhaps ask the people who issue your normal SSL certificates. They probably don't know nor have any useful answers, but they may be able to direct you to who does. This may involve several people and getting approval from relatively high ranking people (who may or may not actually understand what you are asking for).

You'll need to have a VERY good explanation of your intended use case and what you will use it for. You may need to produce official policies for your organization to limit what can be done with your Intermediate CA to make them feel more at ease. If they are bound by certain regulations, you may need to find those regulations and determine the exceptions or waivers that are available. Once you determine which one may apply to you, you may have to explain it to them. If they do not understand, be patient and polite, and keep asking. You may be able to speed things along by getting someone in authority over them to authorize it (this takes the responsibility off their shoulders, and may allow them to not care as much). You take the risk of pissing them off if you "go over their head" though. So, ask them about it first (some thing like, "If I asked your 'supervisory organization here' to authorize it, would you be more comfortable?").

Often times this is a very long battle and an improbable task (not impossible, but may be highly improbable depending on your organization). This is especially true in Department of Defense (or military) organizational structures.

There may be better routes to achieve the same thing. You could request a wild card certificate and then make the branches sub-domains. However, sometimes getting a wild card certificate is just as improbable. I would start with whomever you get your normal SSL certificates from and work your way up.

J Roysdon
  • 101
  • Q was for Mongolia and .gov and .mil are US-only for historical reasons -- but there's certainly no problem or difficulty getting 'commercial' (at least civilian) certs for the visible parts of those TLDs. E.g. treasury.gov and whitehouse.gov both use Digicert, and nsa.gov uses a LetsEncrypt(!) cert whose SAN includes several .mil sites. I'm pretty sure sites on DoD's _secure_ network (SIPR) must use government CAs, but that's only a fraction of the total. – dave_thompson_085 May 05 '21 at 04:10
  • Sure, it really depends on the use case. If it's a public facing web site then it makes sense to use a publicly available CA that's included by default in browsers and devices. nsa.gov uses LetsEncrypt... hmm... maybe because they created it? And have backdoor access? Hmm... endless speculation. – J Roysdon May 20 '21 at 20:52