Can I be my own trusted CA via an signed intermediate certificate?

Solution 1:

Your question reads to me and to others as "How do I issue certificates to entities inside and outside of my organization that are trusted by arbitrary internet users?"

If that is your question than the answer is "You don't.". If it isn't, please clarify.

I also recommend reading "Windows Server 2008 PKI and Certificate Security by Brian Komar" and consider all of the various PKI scenarios for your applications. You don't need to use Microsoft's CA to get something out of the book.

Solution 2:

A quick search shows that such things exist, but with the 'contact us for a quote' suggests it won't be cheap:

https://www.globalsign.com/en/certificate-authority-root-signing/

I make no claims about the company, but that page might give you terms to use to find other companies doing the same.


Solution 3:

If you could do this, what's going to prevent Joe Malware from issuing a cert for www.microsoft.com and giving you his own "special" brand of updates through a DNS hijack?

FWIW, here's how to get your root certificate included by Microsoft in the OS:

http://technet.microsoft.com/en-us/library/cc751157.aspx

The requirements are pretty steep.


Solution 4:

This is basically indistinguishable from becoming a reseller for that root CA, which almost certainly costs lot of effort and money to be. This is because, as Tim notes, you can make a valid certificate for any domain, which shouldn't be allowed unless you control that domain.

An alternative is RapidSSL's reseller program in which they do all the hard work and issue from their root CA.


Solution 5:

Ask yourself these two questions:

  1. Do you trust your users to properly import root certificates into their web browser?
  2. Do you have the resources to partner with an existing root CA?

If the answer is yes to 1, CAcert has solved your problem for you. If the answer to 2 is yes, look into the list of trusted root certificates shipped with OpenSSL, Firefox, IE and Safari and find one to sign your intermediary certificate.