Self-issued certificates and commercial certificates.

Discussion in 'Computer Security' started by Lord Amoeba, Apr 30, 2004.

  1. Lord Amoeba

    Lord Amoeba Guest

    First of all, sorry, but I'm just getting started with certificate-based
    security, and I may not understand all the concepts yet. Here's my
    question: can one obtain a root certificate from a commercial authority like
    Verisign and then self-issue certificates that would point back to the
    commercial cert in the certification chain? Is such a hybrid possible?
    This is solely for SSL purposes.
    Lord Amoeba, Apr 30, 2004
    #1
    1. Advertising

  2. In article <c6trlf$28n$>, "Lord Amoeba"
    <> wrote:
    >First of all, sorry, but I'm just getting started with certificate-based
    >security, and I may not understand all the concepts yet. Here's my
    >question: can one obtain a root certificate from a commercial authority like
    >Verisign and then self-issue certificates that would point back to the
    >commercial cert in the certification chain? Is such a hybrid possible?
    >This is solely for SSL purposes.


    You can obtain a CA certificate from Verisign, but I think you'll find it
    costs a lot of money.

    A root CA certificate is simply a CA certificate that is installed directly
    at the host computer as a "trusted root", rather than one that has to refer
    up a chain to another CA that is a trusted root.

    To get a root CA into Windows, you'd need to contact Microsoft and spend
    some time and money convincing them that your CA is going to be acceptably
    run, so that they can add you to the next round of Internet Explorer
    updates.

    It sounds like you are just looking for a CA certificate from Verisign (or
    some other CA).

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at http://www.wftpd.com or email
    1602 Harvest Moon Place | .
    Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
    Alun Jones [MS MVP], May 1, 2004
    #2
    1. Advertising

  3. "Lord Amoeba" <> wrote in message
    news:c6trlf$28n$...
    > First of all, sorry, but I'm just getting started with certificate-based
    > security, and I may not understand all the concepts yet. Here's my
    > question: can one obtain a root certificate from a commercial authority

    like
    > Verisign and then self-issue certificates that would point back to the
    > commercial cert in the certification chain? Is such a hybrid possible?
    > This is solely for SSL purposes.


    Out of interest, why would you want to do this?
    If you are just working in a small community then you don't need a 3rd party
    root CA to vouch for you.
    The people know you, they know each other, they trust the certificates.

    If you are working in a medium to large organisation and only using the
    certificates internally, then again you don't need any external body to
    vouch for your certificates. Your organisation issued them and you know that
    they are good (or as good as your security model for the CA).

    If you wish to run a secure CA which will issue globally trusted
    certificates to a group of users who will use them to vouch for themselves
    in the outside world (i.e. where the other party to the
    communication/interaction may not know your company/group, and/or trust them
    to securely vouch for the identity of the certificate holder) then what you
    describe above is exactly what you do - you set up a CA with a root
    certificate signed by a Trusted Third Party [TTP].
    Everyone trusts this third party (e.g. Verisign, Thawte) so by association
    they also trust you and believe your certificates.
    So far so good - but if you do bad things, like issuing inaccurate
    certificates to people unknown to you and not checked by you, then this
    reflects on the reputation of the TTP.
    Mindful of that, a TTP will not just sell you a root certificate.
    They will also expect evidence that you can be trusted to manage this in a
    secure manner.
    Often this is done via a vendor of PKI infrastructure who will sell you the
    kit and audit your installation and methods.
    As suggested already in another response, this doesn't come cheap.

    So yes, you can buy a root certificate then issue your own certificates
    signed by this root certificate.
    However this isn't a cheap option.
    Nor is it simple.

    HTH
    Dave R
    David W.E. Roberts, May 5, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dmitry Andreev
    Replies:
    1
    Views:
    6,486
  2. didier
    Replies:
    0
    Views:
    552
    didier
    Jan 26, 2004
  3. mlick2

    Syslog all issued commands

    mlick2, Oct 13, 2005, in forum: Cisco
    Replies:
    0
    Views:
    429
    mlick2
    Oct 13, 2005
  4. Rohii7
    Replies:
    2
    Views:
    1,756
  5. Marc Liron MVP

    New Critical Patch Issued - KB870669

    Marc Liron MVP, Jul 2, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    2,695
    Joel Rubin
    Jul 3, 2004
Loading...

Share This Page