PKI - How do I go about chaining my root CA to a commercial CA?

Discussion in 'Security Software' started by Dave Hocking, Dec 2, 2003.

  1. Dave Hocking

    Dave Hocking Guest

    Basically I want to use PKI at my workplace to secure email traffic, and as
    we are an ISP, I would like to issue our own SSL certs to our webservers.

    (a) Is this possible, without having to point people to a site where they
    can download our own self-signed root CA?

    (b) If it is possible, how do I go about doing it?

    I have emailed various CA's, though not surprisingly, they haven't responded
    as it would be doing them out of business if we could issue our own
    certificates for everything!

    Any help on this topic would be most welcome, even if it's just to tell me
    that I'm going about this totally the wrong way!


    Cheers folks

    Dave Hocking, Dec 2, 2003
    1. Advertisements

  2. You can generate any kind of self-signed cert you wish (for SSL server, code-signing,
    Personal for S/MIME etc..) but your users of course will not by default
    trust them (because they don't trust the issuer, i.e. you, since it is not
    included in the IE, Netscape etc.. trusted ROOT CA certs.

    If you really want transparency for your users (talking SSL now), it is
    worth the effort buying a commercially issued cert.

    Alternatively, depending on how big your business is, you could check
    "cross-certification" capability from the various well-known public CAs.

    In a closed enterprise, it is common for the enterprise to have a fairly
    automated "Install my custom root CA to your Trusted certs list" but this
    only makes sense on trusted Intranets .. (do they really exist??).

    - Michel Gallant
    MVP Security
    Michel Gallant, Dec 2, 2003
    1. Advertisements

  3. You *could* look into our Root CA program:

    This posting is provided "AS IS" with no warranties and confers no rights.
    Shawn Rabourn \(MS\), Dec 3, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.