Can I create my own SubCA certificate?


I am software developer, and have a task to create my own CA, supporting CT technology.

So, may I use Let's Encrypt services to create my own, not self-signed CA certificate (with Basic Constraints: CA = true, e.t.c.), and later use it for creating precertificates and put this chain in test CT-log for getting SCT stamp?

With Respect

No, this is not possible. And from what I've remembered from previous threads about this topic, the Let's Encrypt staff is also not providing such services in the future.

You've got to realise that if a CA would issue such a sub-CA, even though the sub-CA would need to be fully audited ($$$!), the CA would ultimately be responsible for anything that would go wrong at the sub-CA. So that's a huge responsibility.


There are commercial CAs that offer this service.

It's expensive, in the high six to low seven figures.


Certificates have a Key Usage field which determines the functions the certificate can be used for. The certificate you get via Let's Encrypt does not have the "Certificate Signing" feature so can't be used to further create a trusted chain.


Then create your own CA; I'd look at Small Step CA.
[I don't read anywhere that requires your CA to be signed by a trusted CA nor globally trusted]


...and if you have a spare Raspberry Pi, here's how to set it up:

Hardware RNG, a YubiKey as a poor man's HSM, really a pretty nice arrangement. And it even supports the ACME protocol, so you can use certbot or any other ACME client (Caddy works beautifully) to get certs from it. And if you don't want to use a Pi, you should be able to adapt the instructions to pretty much any other Linux environment.


I read the "not self signed" part as meaning that.


If so, ask whomever assigned the "task" to you to open their checkbook!


Reading the OP I think he need a CA that a CT log server will accept certificate from, try those google CT log server in test section.

creating precertificates and put this chain in test CT-log for getting SCT stamp?

or maybe LE staff can give a CA certificate that accepted by testflume?

These logs are intended for testing purposes only and will only log certificates that chain to a test root explicitly added to it.

To add a test root to the Google test Logs, please email


btw how to request a test CA to be accepted in testflume CT logs? @lestaff


@Nummer378's got it exactly right - there's a contact link on the CT Logs page.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.