-1

I've a task to create Certificate Authority for company use. Preferably using "valid" ( not self-signed) certificate. The goal is to issue individual certificates for subdomains, instead of wildcard, plus sub-subdomains, not covered by wildcard cert, users, services, etc.

All this may be limited to a single domain only.

As I understand I need valid certificate which has certain capabilities in it like this Key Cert Sign, CRL Sign.

Is that true and can someone point me to the documentation and SSL provider who can sell me that kind of certificate ?

Thanks.

UPDATE: Thanks for the comments: I may need to rephrase my question then, what is needed to issue publicly valid certificates for services and users ? There are some sites issuing user certificates, like this https://www.comodo.com/home/email-security/free-email-certificate.php. But I don't want to rely on public and free services for company use and would rather use something constant and reliable.

stimur
  • 894
  • 5
  • 11
  • A certificate authority is an organization that verifies other organizations. You can't just create it. What you're describing is exactly what you don't want, a self-signed certificate. There are only a few CAs that are trusted universally in browsers. – Devon Jan 30 '15 at 18:40
  • 2
    @Devon That's actually not correct. It is a trivial process to create a CA, and it's done very frequently for usage inside organizations. – EEAA Jan 30 '15 at 18:44
  • @EEAA I suppose so. What I was getting at is the entity, not the certificate. You can create your own CA certificate and load it up, but it is still a "self-signed" certificate. – Devon Jan 30 '15 at 18:46
  • Thanks for the comments: I may need to rephrase my question then, what is needed to issue `publicly valid` certificates for services and users ? – stimur Jan 30 '15 at 18:54
  • @stimur like I said in my first comment. There are only a few CAs that are trusted in browsers. You can't just create your own and have it be "valid" in external user's browsers. You need to have it signed by one of the trusted CAs. – Devon Jan 30 '15 at 19:01
  • @Devon I understand that, and I don't want to be a root CA. what I want is to be in the chain and be authorized to sign certificates for my domain. Is that technically possible ? – stimur Jan 30 '15 at 19:03
  • 1
    @stimur I believe that would defeat the purpose of the trusted CA if you can just sign / distribute your own certificates. – Devon Jan 30 '15 at 19:04
  • 2
    @stimur It's technically possible, yes. Your trick is going to be trying to convince a publicly-trusted CA to grant you a signing certificate. Which they won't do. – EEAA Jan 30 '15 at 19:04
  • @Devon: I see it that way: I am certified to manage certificates for my single domain. My certificate is signed by root CA. With wildcard cert I can use it on any my subdomains. With signing certificate I can issue individual certificates for each subdomain myself. Almost the same I think. But in that case I'm responsible for issuing and revocation and have more granular control over them. – stimur Jan 30 '15 at 19:10
  • @Zoredache: I couldn't find it either, otherwise I wouldn't ask it here :) – stimur Jan 30 '15 at 19:13
  • 3
    http://serverfault.com/questions/59567/can-i-be-my-own-trusted-ca-via-an-signed-intermediate-certificate http://serverfault.com/questions/82446/can-i-be-an-intermediate-certificate-authority – Zoredache Jan 30 '15 at 19:17

1 Answers1

9

First, no public trusted certificate authority is going to grant you any type of signing certificate.

Now that we have that out of the way:

Since this is for internal usage, you don't need any sort of certificate from an outside source - just start your own CA, and distribute its CA cert to all of your clients' trusted certificate database. Then you can request and sign certificates willy nilly and all of your clients will trust them.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Thanks, I was considering this variant, although it involves distribution of local root certificate to all endpoint devices. I was thinking that there is a way to get 'intermediate' certificate which can sign my local ones. is that something unusual ? – stimur Jan 30 '15 at 18:49
  • 2
    @stimur You absolutely will not be able to get an intermediate cert signed by a globally trusted CA, unless you're a world power with leverage over them or [use hash collision vulnerabilities to create one](http://www.zdnet.com/article/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/). Distribute an internal CA to your devices - if they're Windows and on a domain, then the process is largely automatic. – Shane Madden Jan 30 '15 at 19:09
  • `to sign my local ones.` - There simply is no functionality that limits the scope of what an intermediate can sign for. Any CA can sign a cert with any subject. Since there is no way to limit it, it isn't going to happen. – Zoredache Jan 30 '15 at 19:11