How to become SSL Certificate Authority?

We are a big organization and have request from varies department on
SSL certiciate. I am wonder it is possible to make ourselves the SSL
Certificate Authority and issue the Certificate ourselves. Any comment
or recommendation on where to obtain such authority? and what about
the cost?


Bosco

--
Due to heavy spamming, I was forced to use an invalid reply address.
Do NOT reply to this posting via email directly.

On Tue, 27 Jul 2004 21:57:52 GMT, Reply Via News Group Please
<reply.via@newsgroups.please.thanks> wrote:


>Yeah you can - without too much difficulty and even do it for free...
>Its actually well documented in the Linux Hacks book from o'reilly, and
>they've documented it in a small number of pages.

That option is off because we are providing public service, we will
need a root certificate from trusted authority.

>Alternativly, how many domains do you want certified - A previous
>customer of mine uses a single domain name, but appends different
>directories off the domain for different projects - They all sit
>comfortably under a single certificate....

We have lots of different domains for varies departments, we just want
to consolidate things so our clients (departments) can go thru us to
get the certificate in one stop.



Bosco

--
Due to heavy spamming, I was forced to use an invalid reply address.
Do NOT reply to this posting via email directly.

YesBalala wrote:
> We are a big organization and have request from varies department on
> SSL certiciate. I am wonder it is possible to make ourselves the SSL
> Certificate Authority and issue the Certificate ourselves. Any comment
> or recommendation on where to obtain such authority? and what about
> the cost?
>
>
> Bosco
>
> --
> Due to heavy spamming, I was forced to use an invalid reply address.
> Do NOT reply to this posting via email directly.

Yeah you can - without too much difficulty and even do it for free...
Its actually well documented in the Linux Hacks book from o'reilly, and
they've documented it in a small number of pages.

But... the problem is that web browsers will receive an alert saying the
SSL certificate is from an untrusted person since web browsers are
installed with a default list (like Thawte.com and Verisign.com).

If you're just talking about your own organisation, you might be able to
update your web clients (windoze machines?) and append your domain name
to their web browsers registry as a trusted source...

Alternativly, how many domains do you want certified - A previous
customer of mine uses a single domain name, but appends different
directories off the domain for different projects - They all sit
comfortably under a single certificate....

randelld

On Tue, 27 Jul 2004 21:21:18 GMT, YesBalala <root@10.0.0.1> wrote:
>
>We have lots of different domains for varies departments, we just want
>to consolidate things so our clients (departments) can go thru us to
>get the certificate in one stop.
>

Theoretically, you should be able to get a certificate which allows
you to sign other certificates, so you'd only actually need one
"official" certificate from the big, expensive cert providers.

However, I've never actually tried this in practice to see if browsers
will accept such a chain of certificates without displaying a warning
to the user.

Good luck,
-Claire

YesBalala <root@10.0.0.1> writes:
> That option is off because we are providing public service, we will
> need a root certificate from trusted authority.
>
> >Alternativly, how many domains do you want certified - A previous
> >customer of mine uses a single domain name, but appends different
> >directories off the domain for different projects - They all sit
> >comfortably under a single certificate....
>
> We have lots of different domains for varies departments, we just want
> to consolidate things so our clients (departments) can go thru us to
> get the certificate in one stop.

You want basically the Verisign Managed PKI (formerly OnSite) or
Thawte SPKI service:

http://www.verisign.com/products/onsite/ssl/index.html
http://www.thawte.com/spki/index.html

It's a remotely operated CA where Verisign handles the technical end.
Cost per cert is lower than buying all your certs separately, but not
by much.

Thawte used to sell chained CA certs that would let you become an
actual CA in your own right the way you're asking. They charged about
$100,000 for the CA certification, plus a fee of a few bucks on each
cert you signed, and of course there was a lot of legal and technical
negotiation required. A few other commercial CA's including Equifax
got their start from Thawte that way. Verisign realized that Thawte
was busy creating new Verisign competitors, so Verisign bought out
Thawte and the practice stopped.

You can also go directly to browser vendors, convince them that you're
a legitimate public CA, and get your root cert installed in future
releases of the browsers. But then you have to wait a few release
cycles (years) before most users have browsers recent enough to
contain your root cert.

Finally, maybe you can just buy a wildcard certificate and use it on
all your servers, if you feel that doesn't create too much chaos. Why
do you have so many departments running their own public-facing SSL
servers anyway?

Claire Tucker <fake@invalid.invalid> writes:
> Theoretically, you should be able to get a certificate which allows
> you to sign other certificates, so you'd only actually need one
> "official" certificate from the big, expensive cert providers.
>
> However, I've never actually tried this in practice to see if browsers
> will accept such a chain of certificates without displaying a warning
> to the user.

Yes, chained certs work in most browsers, but certs like you're
describing used to cost about $100K and AFAIK are not available any more.

On Tue, 27 Jul 2004, YesBalala wrote:
> We are a big organization and have request from varies department on
> SSL certiciate. I am wonder it is possible to make ourselves the SSL
> Certificate Authority and issue the Certificate ourselves. Any comment
> or recommendation on where to obtain such authority? and what about
> the cost?

Yes, such is possible. However, if people are going to avoid the warnings,
they have to be able to download your SELF-SIGNED certificate into their CA
archive.

[That's a hint on what to search the Internet for. There are web pages that
describe how to self-sign a certificate.]