Letsencrypt & CA

Can I use Let’s encrypt in advanced architecture, like I issue certificate for my domain users and verify it by let’s encrypt (email users) like using S/MIME
I think I should have something similar to CA https://github.com/jsha/minica gives such a tool but without Online Certificate Status Protocol (OCSP) and certificate revocation list (or CRL )
When I implement these services an authority should verify my root certificate to be able to issue many certificates for the users. The root certificate can be only for a domain name and issue only certificates for the users in the verified domain Not as any CA that can issue certificates for different domains and is verified to do so by checking its infrastructure.

@malkahtani

What you are talking about is an enterprise CA backed by a public CA

I don’t believe let’s encrypt currently offers this but there are other providers that do

In order to issue your own certificates you would need two things from a public CA

A intermediate Certificate and a private key

You could then sign your own CSRs and issues certificates from that intermediate

GlobalSign and a few other paid providers offer this service

Also have a look at the Amazon Certificate Services https://aws.amazon.com/certificate-manager/

From my personal research the Amazon Option is the most cost effective but others may know of others

I know that Amazon is the most affordable and it costs $400 a month + $0.75 for each certificate less than a 1,000 approximately $750 a month or $0.35 if more than 1,000 that make it $350.35 a month or $10.001 each month for over 10,000 certificate. Thus, for small business it is costly 400 + 750 = $1,150 a month and for enterprise it is $410.001 a month. I was looking for something free for experiments, practicing, education, something that mocking a real large enterprise scenario in production for free. like trying the https for free from let’s encrypt.

I doubt let’s encrypt will ever issue free subcas, each subca comes with enormous auditing expenses and requirements for equipment such as an HSM, and puts let’s encrypt at risk of being distrusted.

Barring any changes to restrictions on technically constrained subcas of course, if the ca/b rules ever change.

EDIT: A technically constrained subca would probably be of limited use anyway, because any application that isn’t setup to understand the constraining field would reject the certificate since it would be marked as critical.

the best option in my opinion is either cfssl or smallstep ca for education – would you like a tutorial as that’s what i am running as an internal ca for our stuff :smiley:

I will be grateful, if you shared such a tutorial.


I installed SmallStep but I have a question Does https://smallstep.com/ sign the root certificate and get rid of of warning sign? OR can I sign this certificate from someone else and make this site trusted?

@malkahtani

You create the root certificate authority and then the intermediate and then the leaf certs

Have a look here https://smallstep.com/docs/getting-started/

Also note you will need to import your certificates into you trust store

Yes, I still have problem with the Root Certificate because I still see the intermediate certificate as the signing one for the sub-domains. I do not know how to get the root certificate in the trusted store or validate it with Step Online CA.

admin@ca:~ step certificate inspect --short (step path)/certs/root_ca.crt
X.509v3 Root CA Certificate (ECDSA P-256) [Serial: 2382…7164]
Subject: ca.int-soft.com Root CA
Issuer: ca.int-soft.com Root CA
Valid from: 2020-05-16T02:18:14Z
to: 2030-05-14T02:18:14Z
admin@ca:~ step certificate inspect --short (step path)/certs/intermediate_ca.crt
X.509v3 Intermediate CA Certificate (ECDSA P-256) [Serial: 2109…9290]
Subject: ca.int-soft.com Intermediate CA
Issuer: ca.int-soft.com Root CA
Valid from: 2020-05-16T02:18:24Z
to: 2030-05-14T02:18:24Z
admin@ca:~ step certificate inspect https://ca.int-soft.com --short --roots (step path)/certs/root_ca.crt
X.509v3 TLS Certificate (ECDSA P-256) [Serial: 4410…9459]
Subject: Step Online CA
ca.int-soft.com
Issuer: ca.int-soft.com Intermediate CA
Valid from: 2020-05-16T02:39:07Z
to: 2020-05-17T02:39:07Z

I issued another one for https://sec.int-soft.com:9443/
and it gives me the same warning which similar to the keytool , Keystore file , keystore.jks in JAVA or Certificate Manager tool in Windows

The intermediate is the signing certificate. You can include the root in the chain if you want, but there’s no reason to; the browsers will trust or not trust their own set of roots, and your inclusion won’t change that.

The process is, root signs intermediate, intermediate signs your site certificate. There’s no reason to have a root involved in your cert.

Adding the LE root to a trusted store for a legacy OS/application is a separate thing. Is that what you need?

Sorry, I just looked at your https://ca.int-soft.com and it’s using a self-signed certificate, not even using LE at all. Are you sure you ran certbot for that site? 9443 doesn’t connect.

I used LE in the link https://int-soft.com/
But I am trying to have a CA and get the root certificate verified; so I can have a certificate for the mail server, the openldap, and each user in the openldap,…etc. However, I do not know how to get the CA root certificate signed. I know how to generate signing request for a domain and get it signed from CA but the signing request for CA and get it signing from public CA like Obtain the VeriSign Class 3 Public Primary Certification or something similar.

IF this solution does not work from smallstep, I might try https://blog.cloudflare.com/introducing-cfssl/ from cloudflare

Oh, you need private PKI; LE doesn’t offer that in any way, shape, or form. LE will never give you a signing certificate, period.

LE will give you a wildcard cert with the DNS challenge that you could reuse internally, on every device (or alternately map internal names to external ones just to create individual certs), but it’s a fragile solution unless you can completely automate updating certs on every single internal device that uses them.

Whereas if you just create your own internal CA, you can do whatever you want with it, sign anything at any time for as long as you like, set up your own internal ACME server if you like, and never have to worry about outsiders knowing your hostnames.

The OP already did.

Hi @malkahtani,
As @ahaw021 previously said, Public Trusted CAs will not sign your CA certificate for free. So if you want to trust your CA (i.e. dismiss the unknown CA warning), you need to import the root CA certificate to your computer trust store.
This is a old tutorial on how to import a CA certificate.

Honestly, it’s just like how you import a trusted S/MIME or client authorization certificate to Windows. Just a different category.

1 Like

This way, it will be trusted only for me and people in my organization, not everyone around the world.

That is correct.
Again, there’s no free ride to Publicly Trusted CA.
Running a CA seems to be easy, but it costs a lot in reality to be in compliance for CA/B regulations. (And you also need to comply with Root CA programs)

I know it is only signing the root certificate and it become trusted around the world. What are the cheapest provider for signing the root certificate and how to do it?

I want my testing and development environment similar to the production environment.