Custom LE certificate


#1

Hi,

we’re using a little bit unusual/complex certificates mostly for e-mail services. Every user has his uniqe hostname for IMAP, SMTP, etc… It is for us to be able to seamlesly migrate users between servers/clusters. Hostnames looks like this:

12345.45.imap.example.com - user #12345
12346.46.imap.example.com - user #12346

Therefore, we use certificates with following SAN names (there are 100 wildcards like that - 00-99):

*.00.imap.example.com, .., *.45.imap.example.com, ... , *.99.imap.example.com

Formely, we used StartSSL certificates and they signed such certificate for free. Now, after StartSSL is dead, we can’t get any authority to sign our certificates (for reasonable price).

Is there any possibility to use Let’s Encrypt for such certificates? I know LE doesn’t support wildcards, but isn’t there any way how to sign such “custom” certificate, maybe in not fully automated way (we need only few similar certificates and they newer change)? We would be pleased to make a donation to LE in exchange for this.

Or does anyone know about a CA that would fit our needs?

Thank you,

Best regards,

David.


#2

Hi David

I am assuming most CA’s want to charge you for 100 wildcard certificates?

CloudFlare has the closest I can see. Looking at about 20$ a month for 2x certs. Maybe if you ask them nicely they will let you issue more than 100 :smiley:

Have you thought about getting an Internal CA Cross Signed by One of the Other CAs Global Sign offers such a service and I believe Comodo do as well. GlobalSign has several versions of this concept

https://www.globalsign.com/en-au/certificate-authority-root-signing/

https://www.globalsign.com/en-au/cloud/

https://www.globalsign.com/en-au/auto-enrollment-gateway/

Interesting Setup and Problem :smiley:

Andrei


#3

Running a subCA will invariably be expensive.

For a properly constrained subCA, operated directly by the actual CA but on behalf of the customer (so, few practical benefits) it incurs some additional paperwork and oversight, plus hardware costs, maybe in the realm of a few thousand dollars per year and up. This might get cheaper some day, but it’ll probably get more expensive first.

If you want it externally operated, suddenly the CA’s auditors are having to travel to your site to verify you’re doing a decent job on physical security etc. and that’ll easily take it into hundreds of thousands of dollars unless you already have suitable facilities (e.g. maybe you are a nuclear weapon manufacturer and already have no-lone zones and armed guards on your staff to ensure physical security)

If you don’t want constraints (ie you aren’t willing to specify up front the names to be signed), it’d cost millions of dollars to do this and will require full disclosure, with annual mandatory audits to satisfy the Browser vendors on behalf of the Relying Parties. You are essentially going into the CA business for yourself.

Historically some businesses operated shoe-string subCAs and cleaning up the resulting mess is one way that Symantec got itself into so much trouble. For every Apple or Google, with good management and clean audits, there were a dozen “big” companies which didn’t have the budget and executive focus to deliver properly, meaning they were never actually compliant and once that was visible to the outside world they were inevitably going to be shut down.

So, a SubCA probably isn’t a realistic option here.


#4

Thank you. Exactly, most CA’s will charge us for 100 wildcards - so we’re on prices starting at 10.000$ per certificate a year.

CloudFlare price is interesting, but I believe they don’t offer the usual certificates signed based on CSR to use at our server. Or am I wrong?


#5

What’s the point of using a public CA here?
Can’t you do the same or better with your own private CA?
What other possible use could those certs have?


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.