we’re using a little bit unusual/complex certificates mostly for e-mail services. Every user has his uniqe hostname for IMAP, SMTP, etc… It is for us to be able to seamlesly migrate users between servers/clusters. Hostnames looks like this:
12345.45.imap.example.com - user #12345
12346.46.imap.example.com - user #12346
Therefore, we use certificates with following SAN names (there are 100 wildcards like that - 00-99):
Formely, we used StartSSL certificates and they signed such certificate for free. Now, after StartSSL is dead, we can’t get any authority to sign our certificates (for reasonable price).
Is there any possibility to use Let’s Encrypt for such certificates? I know LE doesn’t support wildcards, but isn’t there any way how to sign such “custom” certificate, maybe in not fully automated way (we need only few similar certificates and they newer change)? We would be pleased to make a donation to LE in exchange for this.
Or does anyone know about a CA that would fit our needs?
Have you thought about getting an Internal CA Cross Signed by One of the Other CAs Global Sign offers such a service and I believe Comodo do as well. GlobalSign has several versions of this concept
For a properly constrained subCA, operated directly by the actual CA but on behalf of the customer (so, few practical benefits) it incurs some additional paperwork and oversight, plus hardware costs, maybe in the realm of a few thousand dollars per year and up. This might get cheaper some day, but it’ll probably get more expensive first.
If you want it externally operated, suddenly the CA’s auditors are having to travel to your site to verify you’re doing a decent job on physical security etc. and that’ll easily take it into hundreds of thousands of dollars unless you already have suitable facilities (e.g. maybe you are a nuclear weapon manufacturer and already have no-lone zones and armed guards on your staff to ensure physical security)
If you don’t want constraints (ie you aren’t willing to specify up front the names to be signed), it’d cost millions of dollars to do this and will require full disclosure, with annual mandatory audits to satisfy the Browser vendors on behalf of the Relying Parties. You are essentially going into the CA business for yourself.
Historically some businesses operated shoe-string subCAs and cleaning up the resulting mess is one way that Symantec got itself into so much trouble. For every Apple or Google, with good management and clean audits, there were a dozen “big” companies which didn’t have the budget and executive focus to deliver properly, meaning they were never actually compliant and once that was visible to the outside world they were inevitably going to be shut down.
So, a SubCA probably isn’t a realistic option here.