I work for a small business that’s getting big enough to justify an internal PKI. I already have one built using Microsoft Active Directory Certificate Services (for it’s integration into the rest of the AD infrastructure). This system is seamless if a given device is joined to Active Directory, but non-domain-joined devices don’t receive the root certificate generated by the internal CA.
I’d like to solve this by switching our intermediate CA to a publicly recognized root, but this means getting an intermediate certificate capable of issuing it’s own certs. Several of the major certificate providers offer variations on this under various brands… and they’re perfectly happy to take payments in organs and limbs.
I’m wondering if it’s possible to do this through Let’s Encrypt. The domain is a public domain, so there’s no conflict there.