Self-issued certificates and commercial certificates.

Discussion in 'Computer Security' started by Lord Amoeba, Apr 30, 2004.

  1. Lord Amoeba

    Lord Amoeba Guest

    First of all, sorry, but I'm just getting started with certificate-based
    security, and I may not understand all the concepts yet. Here's my
    question: can one obtain a root certificate from a commercial authority like
    Verisign and then self-issue certificates that would point back to the
    commercial cert in the certification chain? Is such a hybrid possible?
    This is solely for SSL purposes.
    Lord Amoeba, Apr 30, 2004
    1. Advertisements

  2. You can obtain a CA certificate from Verisign, but I think you'll find it
    costs a lot of money.

    A root CA certificate is simply a CA certificate that is installed directly
    at the host computer as a "trusted root", rather than one that has to refer
    up a chain to another CA that is a trusted root.

    To get a root CA into Windows, you'd need to contact Microsoft and spend
    some time and money convincing them that your CA is going to be acceptably
    run, so that they can add you to the next round of Internet Explorer

    It sounds like you are just looking for a CA certificate from Verisign (or
    some other CA).


    [Please don't email posters, if a Usenet response is appropriate.]
    Alun Jones [MS MVP], May 1, 2004
    1. Advertisements

  3. Out of interest, why would you want to do this?
    If you are just working in a small community then you don't need a 3rd party
    root CA to vouch for you.
    The people know you, they know each other, they trust the certificates.

    If you are working in a medium to large organisation and only using the
    certificates internally, then again you don't need any external body to
    vouch for your certificates. Your organisation issued them and you know that
    they are good (or as good as your security model for the CA).

    If you wish to run a secure CA which will issue globally trusted
    certificates to a group of users who will use them to vouch for themselves
    in the outside world (i.e. where the other party to the
    communication/interaction may not know your company/group, and/or trust them
    to securely vouch for the identity of the certificate holder) then what you
    describe above is exactly what you do - you set up a CA with a root
    certificate signed by a Trusted Third Party [TTP].
    Everyone trusts this third party (e.g. Verisign, Thawte) so by association
    they also trust you and believe your certificates.
    So far so good - but if you do bad things, like issuing inaccurate
    certificates to people unknown to you and not checked by you, then this
    reflects on the reputation of the TTP.
    Mindful of that, a TTP will not just sell you a root certificate.
    They will also expect evidence that you can be trusted to manage this in a
    secure manner.
    Often this is done via a vendor of PKI infrastructure who will sell you the
    kit and audit your installation and methods.
    As suggested already in another response, this doesn't come cheap.

    So yes, you can buy a root certificate then issue your own certificates
    signed by this root certificate.
    However this isn't a cheap option.
    Nor is it simple.

    Dave R
    David W.E. Roberts, May 5, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.