27

I have written a small program to run on a Windows computer that serves SSL/TLS web pages through port 443 to visiting web browsers. I want it to be easy for non-technical people to install and run this program. I have made it easy for them to create a self-signed certificate or a certificate signing request in the program, but I think they are going to struggle getting the CSR signed and connected to a domain name which points at their server. I want to reduce the technical difficulty of this process to a minimum.

Can I purchase an SSL certificate which can sign certificates for subdomains of my domain name? Something like customer1.mydomain.com, customer2.mydomain.com etc and then I could point my DNS subdomains at their servers and sign their certificates for them and automate the entire process. Or maybe this would be very expensive?

If not, apart from hosting all their web applications on my own server with a *.mydomain.com certificate, what is the simplest solution I can give them for setting up the SSL certificates and domain names?

fawltyserver
  • 281
  • 1
  • 3
  • 6
  • Anyone visiting *.mydomain.com would see a cert error in their browser because you're not a registered certificate authority in any browsers. – gravyface May 28 '11 at 15:53
  • GeoTrust offers GeoRoot so you can become you're own root certificate authority for your domain, but you need to have a net worth of 5M or more and a bunch of other requirements. – gravyface May 28 '11 at 15:56
  • @Gravyface Do they now? That's new. – sysadmin1138 May 28 '11 at 16:04
  • 1
    You might have better luck setting yourself up as a reseller and semi-automating the SSL/domain registration process through your account. – gravyface May 28 '11 at 16:16
  • GeoRoot is not an intermediate CA certificate simply handed out to the customer, it is an external signing service which can be integrated with Active Directory. – the-wabbit May 28 '11 at 19:44
  • @gravyface The reseller route might be the best I can do at the moment because I am not a big company. – fawltyserver May 29 '11 at 09:39

3 Answers3

28

The sad truth is that what you aim for is technically possible with the x.509 Name Constraint permittedSubtrees attribute as defined in RFC 2459 Section 4.2.1.11, but you hardly will find any CA willing to provide you with such a certificate.

Some will not do that due to the thought that selling you such a certificate once is not as good as selling you a lot of per-host-certificates many times.

Some will not due to self-incurred braindead regulatory requirements or requirements of external parties.

There is a very very sad story about the certificate chain of a large telecoms provider which has signed intermediate CAs for a national research network which in turn did issue CA certificates to Universities. While this does not sound very sad yet, the sadness starts as a brave man from the aforementioned telecoms provider tried to get the certificate and the trust chain included into Mozilla Firefox - it took 4 years of discussions, reviews, misunderstandings and even more discussions before it was finally included.

What you can purchase is mostly some "Managed Service" where you would use the CA's interfaces to create new certificates more or less at will. Of course, this typically will cost a lot of money beforehand and you likely will be additionally charged for every issued certificate.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Just as a footnote: the security processes followed by commercial CAs (and thus their customers as well) have been [heavily criticized by renowned information security experts as being prone to breakups](http://www.schneier.com/paper-pki-ft.txt). All of it still applies. – the-wabbit May 28 '11 at 19:52
  • "but you hardly will find any CA willing to provide you with such a certificate" - do you know of any exception? I am looking for such certificate too. Is there a name for "Name Constraint permittedSubtrees" certificates? Though, judging from [this thread](https://mail1.eff.org/pipermail/observatory/2011-April/000206.html), this part of RFC never really took off... – johndodo Aug 08 '12 at 07:17
  • @johndodo I only know of the U.S. Federal Bridge CA as a "public" authority having used name constraints [in the past](http://csrc.nist.gov/archive/pki-twg/y2002/presentations/twg-02-22.pdf) for the subordinate CAs of the U.S. government agencies. I have never seen any of the CAs preinstalled with browsers or operating systems issue such certificates myself. The ones noted in your referenced post - the swiss touring club and the ICC are both issued by [WISeKey](http://www.wisekey.com/en/Products/PKIManagement/Pages/default.aspx) (a Swiss CA), but I do not know much about their product line. – the-wabbit Aug 10 '12 at 11:43
  • 1
    As an aside: the [EFF's map of CAs](https://www.eff.org/files/colour_map_of_CAs.pdf) makes an interesting reading. – the-wabbit Aug 10 '12 at 11:52
  • Here's [an example](https://bugzilla.mozilla.org/show_bug.cgi?id=1390981#c2) of Comodo being held responsible for bad certificates Intel issued with [such a name-constrained CA certificate](https://crt.sh/?sha1=d50c68fdcb0c3315eb9951f2444fd9e48ba34829). Given that the issuing CA is responsible for any bad certificates you issue, I'm not surprised that it's very hard to obtain. – Gavin S. Yancey Jun 27 '20 at 07:55
  • (From the link above) "These certificates are issued from a name-constrained CA operated by Intel Corporation. **Comodo acknowledges its responsibility for this CA’s compliance with Mozilla’s CA policy.** It took us (Comodo) a few days to forward this report to Intel. Although the report was circulated within Comodo we were not able to revoke these end entity certificates since we do not operate that CA. Those within Comodo who would otherwise have revoked the end entity certificates did not initially feed back that the certificates needed external action." – Gavin S. Yancey Jun 27 '20 at 08:01
  • What about a free CA like Let's Encrypt? They don't care about selling certificates; if anything it's easier on their infrastructure if you just get one certificate that you can use for subdomains. So why wouldn't they be willing to issue permittedSubtrees certificates? – flarn2006 Dec 08 '20 at 23:01
7

The problem with what you intend is that there is no way for a primary CA (Verisign, Thawte, etc) to constrain a subordinate CA (what you're looking for) to only assign certificates for, or be valid for, a specific domain. A subordinate CA that chains to a valid root will be able to create certificates for the entire Internet. This is why you can't get a Subordinate CA certificate from anyone but a root CA you make yourself.

You can't do what you're looking for without a wildcart certificate from one of the big certificate vendors. Those can be bought, unlike subordinate CA certificates.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
4

StartCom has an Intermediate Certificate Authority program. According to the linked site the program is intended for those issuing 1,000 or more certificates and the average cost is around $2 per issued certificate.

TimS
  • 2,166
  • 13
  • 8
  • Thank you. That sounds like it would do what I asked for, but I am not a big company yet. Maybe in the future. I think I will just dump the technical complexity on my customers for now. – fawltyserver May 29 '11 at 09:46
  • StartCom will not hand out the certificate. Instead, it will set up a CA with a web (and probably SOAP) interface for you to use. From StartCom's web site: *"An Intermediate Authority Certificate representing your organization **(Hosted at StartCom's premises)**"* – the-wabbit Oct 15 '15 at 07:49
  • 3
    Note: "StartCom CA is closed since Jan. 1st 2018 " – Schneider Mar 28 '18 at 23:12