Certification authority


• How to become a certification authority
• and How to sign a certificate signing request with my certification authority?
and thank you

You can create your own private PKI using something like cfssl, which is a bit easier to use than OpenSSL. cfssl provides all the tools you need to create a CA and sign certificates. However, no browser or other type of reliant party will trust your CA unless they manually add you to their trust stores.

To become a trusted CA you have one of two options:

  • You can pay $x00,000s of dollars to an existing CA to become a subordinate CA, or
  • You can start your own CA and apply to root programs to be trusted, but this can cost upto a million dollars or more over a few years, including staff, infrastructure and time.
1 Like

If you want to do it for a small demo project for how the technology works, OpenSSL might still be a decent choice. It has commands that perform all of the tasks related to requesting and issuing certificates. For practical applications, I think @_az’s suggestion is good.

If you like the ACME technology that Let’s Encrypt uses, you can run the same CA software that Let’s Encrypt does

As @_az explained, your CA won’t be trusted by clients, unless those clients have your CA’s certificate installed. For a personal or organizational CA, that could be OK (you can get all of the devices that are supposed to trust the CA to install its certificates).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.