Hello everyone, Please i need help in generating a full chain certificate using my own csr I generated through google certificate authority service. I generated a Subordinate CA But its pending activation.
You can't use Let's Encrypt certificate for that purpose, and you cannot customise the CSR beyond choosing the key type and the identifiers on it (you can try, but additional fields will be ignored).
You can implement your own private CA using smallstep etc.
4 Likes
Thanks alot! Do you have any Idea if there is anyway to make the root certificate in google cloud services trusted then since it is able to sign the csr and generate a full chain but its self-signed.
2 Likes
Sorry, I'm not aware of any CA that offers this feature (subordinate CA), maybe someone else does. [If anyone would then possible Digicert or similar with their enterprise products]
3 Likes
There are lots of restrictions on the ability to generate publicly-trusted certificates, because that ability could be so easily abused to impersonate other sites and spy on people's connections. The web browser developers who decide which root certificate authorities are trusted impose lots of policy and audit requirements on the root CAs, and require the root CAs to impose similar requirements on subordinate CAs. You can find out about some of these requirements from cabforum.org or by reading individual browser root program policy documents. Again, it is a lot of rules to follow.
Some of those requirements might be loosened for a subordinate CA with a name constraint (that can only issue publicly trusted certificates for subdomains of a particular domain), but even in this case a commercial CA would probably require a payment and some detailed contractual agreements before issuing the subordinate CA certificate.
3 Likes
A few years ago someone tried to price this out this type of service with Sectigo (see My own certificate authority). They were quoted at $50k a year.
The details of what they requested are in line with Sectigo's "Subordinate CA Program" - https://www.sectigo.com/resource-library/subordinate-public-ca - which has all the restraints and requirements that @schoen mentioned in his greater comment.
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.