My own certificate authority

Hi there!
I want to create a new ssl certificate authority but i need a trusted ssl certificate for my ca if ISRG can help me in this case?

1 Like

I can't answer for ISRG obviously, but have you realized that running your own public certificate authority costs a lot of money? This due to the fact that for a public CA to be recognised and trusted, you'd need your entire infrastructure to be audited. And somewhere on the internet I read a WebTrust audit could cost you $ 150 000! That's a lot of money.

And next to the costly audits, you'd need your own secured server rack, hardware security modules and all other kinds of costly stuff.

So even if ISRG would grant a cross-sign (which I doubt, but I can't say for sure of course), they probably would like to know how serious the idea of your publicly trusted CA is and how far you already are in setting it up.

5 Likes

I know about that and i already asked sectigo support. They told me that they will cost $50,000 per year. I have a VPS from Microsoft.

I'm pretty sure a VPS will not be enough for the strict security requirements to run your own public CA.

6 Likes

A private subca that is publicly trusted will always be extravagantly expensive and come with some pretty serious operational and auditing requirements.

That said, if you just need to make certificates for internal services you can make your own private CA for free, then just distribute the root certificate to all devices you control.

6 Likes

Lets see if the IRSG Team allows or not.

No, Let’s Encrypt does not provide CA certificates to third parties.

If you’re seeking to start a CA that devices or software can be configured to trust, that’s achievable - there are some great free and open source software options, although it’s still a big engineering task.

If your CA needs to be publicly trusted, though, it is a serious undertaking that will need expertise and resources. The CA/Browser Forum’s Baseline Requirements are a good starting point to explore the capabilities you’ll need to have.

12 Likes

I see.

I've lost track of how many times I've shared this link here, but if you want a CA for devices that you control, that's quite straightforward. This link describes doing it on a Raspberry Pi, but the same software should run on just about anything Unix-y:

But as said above, if you need something trusted by the public, you'll need to go through all the relevant steps and pony up some serious money.

8 Likes

Smallstep also offers a hosted version of their CA - step-ca | Easily Manage Certificates For Production Workloads .

Like LetsEncrypt's Boulder, their CA is also open source and freely available.

I am surprised that Sectigo priced out a solution or support at $50k/annually. I wonder if they understood the intent – as that's cheaper than many private corporate CA solutions I've seen.

7 Likes

I'm guessing this is a hosted or custom branded SubCA with either unlimited or a very high number of certificates issued. I doubt it would be terribly expensive for Sectigo to add another CA to their HSM and existing audits or add additional hardware for $50k/year.

But I have no experience with this, it might also just be $50k/year for the cross sign with the hardware and compliance auditing being an additional expense on the customer.

5 Likes

IMHO, 50k is still really cheap for that. I'd imagine there is a rather low number of certs in the base price.

It must be this product/program: https://sectigo.com/resource-library/subordinate-public-ca

6 Likes

...and finally, to address the topic title...

There is no such thing as an "ssl authority".
SSL is something that can be done with a certificate [a requirement for SSL encryption].
The "authority" is the business that provides the certificate(s).
Thus a "Certificate Authority" (CA).
Not an SSL Authority (SA), if that even exists, which sounds more like "an expert witness" than a business.

4 Likes