Sub certification authority?

Hello all,

I have read the quick guide setup, I havent started the process itself, as I am in the planning period.

I would like to know if it is possible to set up a SUB (from letsencrypt root CA) CA managed by a windows server 2016 with the CA role. And be able to dispatch, renew, revoke (all certificate management options) certificates to my servers. So every server and client of mine has its on certificate with the following chain: LetsEncrypt root CA -> (my) labaudric CA -> certificates for servers/clients.

It this something achievable? It is non-sense? Any feedback will be appreciated.


hi @audricd

This has been discussed before and Let’s Encrypt doesn’t want to get involved with sub CAs

It requires a lot of paperwork and manual processes as the sub CA has to comply with all the browser forum rules.


Hello @ahaw021,

Yes, I understand. Maybe sometime in the future; as the project grows every day and being supported by giants, maybe with time… It could be a streamline process. Well I am hoping.

But anyways: Thank you very much for your clear and speedy response!


if you are looking for a CA that does issue Sub CA roots look at GlobalSign



If you control all the end clients, you can always set up an internal CA and just make sure your CA is added to the root store on the clients.

1 Like

yep. thats exactly what i am going to do. safe and all under control

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.