Creating sub certificates from a root certificate (SSL)

Question

If I purchase a signed certificate for example.com, can I then produce sub-certificates for a.example.com and b.example.com?

These sub-certificates would have PEM files whose privacy cannot be assured.

Can I do this, maintaining the privacy of the root certificate while generating an unlimited number of disposable sub-certificates that would still be recognized as valid by the original signing authority?

score 17 · Accepted Answer · answered Jul 12 '15 at 18:57

17

No, that won't work.

In order to sign certificates you need your own certificate authority certificate. The certificates you purchase are signed by a certificate authority, but specifically marked as not being a certificate authority certificate.

Check the "Certificate Basic Constraints" in your certificate, and you will see that it "Is not a Certification Authority".

answered Jul 12 '15 at 18:57

Michael Hampton

244,070
43
506
972

Got it, that's very helpful. So to be clear, if I wanted to do it and have a legit, error free experience in the browser, I'd need a certificate authority certificate. I'm guessing this isn't the sort of thing I can just easily buy, right? – chrism2671 Jul 12 '15 at 19:10
6

You can certainly make your own CA, but you can't make _everyone's_ browser recognize it. – Michael Hampton Jul 12 '15 at 20:20
You can buy a CA certificate from some authorities, but they do not come cheap. Plus, you have to fulfill quite a few requirements. So unless you are a big company who wants to issue at least hundreds or thousands of certificates, it won't be worthwile. – mat Jul 13 '15 at 14:35

score 4 · Answer 2 · edited Jul 13 '15 at 14:48

4

If you need more then one domain covered by SSL, you need to buy a wildcard SSL certificate. This covers a domain name and all sub-domains. Remember to create your SSL cert for *.example.com: otherwise you only sign your normal domain.

If you have two different domains you need SSL for each domain.

Or if you have only one subdomain, sometimes two normal SSL certs are cheaper than a wildcard.

edited Jul 13 '15 at 14:48

TRiG

1,181
3
13
30

answered Jul 13 '15 at 05:41

ParisNakitaKejser

261
3
10

1

SSL certificate can have up to 100 alternative domains, you don't need 2 certificate for 2 domains. – Ivan Solntsev Jul 13 '15 at 13:37
Its only if you buy a multi-domain SSL Else its lock to 1 domain – ParisNakitaKejser Jul 13 '15 at 14:07

Creating sub certificates from a root certificate (SSL)

2 Answers2