0

When I create a CA role there is an option for "Root CA" and "Subordinate CA", choosing the second one adds an option to generate a cert request.

Does it mean I can buy a service e.g. from Comodo that will sign my CA cert with theirs and allow me create self-signed certificates for my domain, that will be auto-tursted by all common browsers (and other services/applications) ?

Alex
  • 1,868
  • a note: the domain for this kind of CA will be a local domain (not public). something like companyname.vpn – Alex Mar 15 '13 at 08:12
  • If it's only to be used by your employees on employer-owned devices, you'd be better off adding your own root CA to their browsers on installation. – Jenny D Mar 15 '13 at 09:26

1 Answers1

4

TL;DR: Probably not.

Long version: It means that this is technically possible, but it does not necessarily mean that the service exists.

The main idea with a subordinate CA is for a company that has a real CA setup, i.e. they use it for many things within your company. In such a case, you might choose to create a root CA for your company, and a few subordinate CAs so that you can sign different types of certificates with different subordinate CAs.

However, whether Comodo or anybody else will allow you to run a subordinate CA that will be able to create certificates which will be trusted by all browsers is an entirely different kettle of fish. There is significant risk involved for whoever has the root CA for this - if you were to handle your own CA with insufficient security, you could end up with a lot of false certificates signed by your CA and trusted by anybody who trusts Comodo. This would risk their getting all of their certificates marked as non-trusted in browsers, effectively ruining both their reputation and their business.

While I haven't checked into it, I would assume that any root CA authority would require a substantive investment in security practices on the part of any company they'd place that kind of trust in. Running a CA on that level properly requires a great deal of work, both on the technical side (i.e. securing network, physical access to the servers, etc), and in creating routines and procedures, separation of duties, etc, to make sure the CA is secure. It's not something to be undertaken lightly.

Jenny D
  • 28,148
  • 3
    Unfortunately, while this was supposed to be possible, it isn't. It was supposed to be possible to issue a subordinate CA certificate that could only sign certificates for names inside particular domains. So if you owned serverfault.com, a CA could give you a certificate to allow you to issue your own email and host certificates only for names inside the serverfault.com domain. But too many programs had buggy implementations of the restriction enforcement and so it opened too great a security hole. Now, no CA will do this. – David Schwartz Mar 15 '13 at 10:15
  • I've been working with setting up an entire internal CA structure at the bank where I work, with different subordinate CAs used for different kinds of certificates. It is not easy. I'm not surprised that sub-CAs didn't turn out to be as easy as one would have wished. It's the old thing about theory and practice again... – Jenny D Mar 15 '13 at 10:25