7

I'm playing around with the idea of running a mini-CA with my (hobby) website, likely only used internally with a few select developers for internal emails, client authentication, staging/development server certs etc. I'm reluctant to extend this style of authentication to my more technically minded users as an optional authentication scheme (despite the benefits), simply because it would require users to fully accept my root certificate and thus I could technically MitM their paypal sessions or something. In their shoes, I certainly wouldn't trust examplehobbysite.com as a valid third-party in the validation of the identity of paypal.com (or any other server for that matter), but I could be happy trusting it for client authentication of users on that site (S/MIME and the like, their CN being their site's username or something).

Simply put, is there any way I could create a root certificate that could only be used to issue X.509 certificates to be used for S/MIME, Client Authentication and the like, and not be valid as Server (SSL) Certificates?

M'vy
  • 13,033
  • 3
  • 47
  • 69
TC Fox
  • 535
  • 2
  • 8

3 Answers3

4

In firefox, you can edit the Trust level you give to a certificate. Go to the Advanced options, encryption and in the CA list, click on any certificate and then "Edit Trust".

This gives you some flexibility.

enter image description here

Julien Vehent
  • 181
  • 3
  • 1
    This isn't exactly ideal, but it does go *some* way towards fixing the problem, so long as it's available in every browser. I don't believe this is the case for anything in the Windows trust store (Chrome, IE for example), though could be wrong. Ideally I'd like these constraints to be specified in the root certificate itself though (in such a way that any certificates issued beyond those constraints are automatically invalid). – TC Fox Oct 03 '11 at 00:08
3

I'm attempting the same thing. I am doing a lot of research for this hobby and you'll find a very extensive set of things to think about here:

Checklist on building an Offline Root & Intermediate Certificate Authority (CA)

Simply put, is there any way I could create a root certificate that could only be used to issue X.509 certificates to be used for S/MIME, Client Authentication and the like, and not be valid as Server (SSL) Certificates?

Since you want to limit yourself to the S/MIME and a few other purposes, I'd recommend that you get a definitive list of what those purposes are, get the OIDs and use constrained delegation and set up the Enhanced Key Usage (EKU) as appropriate.

Just know that every time you change your mind and edit or reissue the RootCA you're making CRL OCSP revocation much more complicated due to the multiple root paths the CryptoAPI has to analyze.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
0

Use Your Root-CA as a issuerbase. But let their browsers only trust the intermediates.

dsgfsdf
  • 1