Which CA shop provides a product that allows you to sign your own SSL certificates? (say named to a sub-domain) Are there any viable alternatives?

Additional Information:

We are deploying a product with a secure web interface to a sizeable number of installations at various clients' locations. Client users will be accessing their portals from any normal web browser. Since replacing/renewing these certificates in the filed is not feasible, long expiry dates of decade or longer is ideal.

Possible options (and cons):
- Use self signed certificates (users will see a browser error/warning) - Use Wild-card or maybe multi-cn certificates. (less secure since the PK is shared between non-trusting clients) - Become a chained certificate authority and sign certificates (expensive) - buy individual/bulk certificates for every installation (expensive, and cumbersome)

It depends on what you are asking for exactly. If you want the ability to create and revoke your own certs that are trusted by browsers (that is, from an established CA) then you should look for a provider that gives you managed PKI access. I know that both Thawte and Verisign provide this.

If you want to create certififcates for others to use that are chained to a trusted CA, there are some providers that do this, but it costs a LOT.

If, on the other hand, you want to create certs for your own internal use and want to create your own CA that you import into your browser manually, you can accomplish this using just OpenSSL.

    Just to give you an idea of what Alex mean by A LOT my company just researched setting up as a chained CA, and just to get started it was something like 150K in hardware and licensing, and then an ongoing cost per cert we issued. – Zypher Dec 31 '09 at 20:06
  • Hardware perhaps may cost a lot (you'd want something like an HSM to hold the ultra-secure keys in any case, just as a checklist item if nothing else) but there should be no licensing costs really. RSA is open now, and SHA-1 always was. How hard you look at each person's key you sign is variable cost, but the harder you look the better people will trust you. Getting into the browsers is the hard part, but I understand it's just a simple matter of bribes^H^H^H^H^H^H payment. – Michael Graff Dec 31 '09 at 21:49
  • Alex, being able to create many certificates that are trusted by any public client is the goal. Did you find any solutions that were not exorbitantly priced? – MandoMando Jan 01 '10 at 17:14
  • Unfortunately, I don't know of any cheap way of doing it, for any CA that is automatically trusted by the browsers. Basically that is what you are paying for. Excluding that implicit browser trust, you can do everything they do with openSSL. We are using Thawte's Managed PKI product for our cert generation. It is really easy to work with, but the certs cost nearly $200 a piece for a year. We pre-pay for the certs we need in a year, and issue/revoke them as we need. – Alex Jan 02 '10 at 05:22

You'll be interested in this discussion I had a few months back on ServerFault. In a few short words, it's not something you're going to want to get into unless you have a lot of time and money to pursue the type of solution Zypher mentioned in Alex's answer.

Of course, depending on your application, you may be able to become your own CA and distribute that cert to your users (basically install and "trust" it in their systems), which you can then use to sign other certificates that your users will trust (because of the chain-of-trust).

Read the other question and answers for more details.

Additional Info About UCC/SAN Certificates

IceMage pointed answered my question about a workaround for a situation similar to yours. These UCC certificates are pretty neat and handled my needs, but they did require a little additional work. That thread specifically discusses CACert, but I ended up buying what I needed from GoDaddy. I hope this info helps you out.

Clint Miller
  • Thanks for pointing out the discussion. The issue you discussed is slightly different, but close to ours. How did you end up going about it? – MandoMando Jan 01 '10 at 15:29
  • Well, the short story is I didn't pursue becoming a CA or trying to get an intermediate certificate issued that I could use to sign other certificates. The consensus is that either is possible, but both are costly. The solution/workaround to my problem was to by so-called UCC certificates. These certificates make use of additional "subjectAlternativeName" fields that you can use to enter more than one valid domain name. I'll update the main body of this answer with more info. – Clint Miller Jan 01 '10 at 19:17

I don't think you can sign your own certs even for a subdomain without going through a long and expensive process to become a root certificate authority. A cert is trusted because it comes from an authority that is listed in your web browser.

These are the certificate authorities included in Firefox- http://www.mozilla.org/projects/security/certs/included/

    You don't need to be a Root CA. As long as there is a cert chain to the root, you can sign certs. The browsers know how to follow the chain up to the root. – MandoMando Jan 01 '10 at 15:07