Host our own Root Trusted CA?
Is it possible to purchase a single trusted root cert and setup a CA that chains its certs to the root? We have multiple subdomains hosted on different machines. We would like to buy a single cert from Verisign, Thwarte, or Network Solutions
and host our own CA. We would want this CA to issue certs that can be used for our public webservices.
June 7th, 2011 2:01pm
yes, it is possible. This called as Root Certificate Signing. This question was already discussed:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b6e252cc-8213-4f55-ac65-80f069da22af
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2011 5:12am
thanks. I'll also mention that MS added a CA that offers free trusted root certificates. See link below for more info.
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/
June 8th, 2011 8:26am
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/
Yes, that's a good one !!! Just a last suggestion, stay AWAY from
"Comodo"
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2011 9:19am
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/
Yes, that's a good one !!! Just a last suggestion, stay AWAY from
"Comodo"
why?My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
June 8th, 2011 9:28am
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/
Yes, that's a good one !!! Just a last suggestion, stay AWAY from
"Comodo"
why?
Because I tell you so :D - no ok, seriously ...
http://www.microsoft.com/technet/security/advisory/2524375.mspx
http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws-in-DNS-Comodo-CEO-440985/
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/
http://threatpost.com/en_us/blogs/mozilla-says-it-erred-not-disclosing-comodo-attack-earlier-032511
http://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/
and the stuff below is just the "tip" of the icerberg, I may post
more stuff, but I think the above will allow you to understand
why I'm suggesting to avoid "comodo" ... and why Microsoft decided to move over to "someone else" for certain stuff
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2011 9:35am
I'm aware about this issue. These certificates was issued by their resellers and not sure if Comodo allows them to perform root certification signing.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
June 8th, 2011 1:45pm
On Wed, 8 Jun 2011 12:21:07 +0000, MegaRAM wrote:
thanks.? I'll also mention that MS added a CA that offers free trusted root certificates.? See link below for more info.
?
>
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows
You're a little confused as to what is and is not offered for free by
StartSSL. StartSSL only offers unverified, low assurance SSL certificates
for free. They do not, as you state above, offer free trusted root
certificates.
If you want to host your own issuing CA that chains to a public root, then
you're looking at their StartCom Intermediate Certificate Authority Program
which is not free, and the intermediate CA is hosted by StartSSL. It also
isn't clear from their web site whether or not these certs actually chain
to a publicly trusted root or not. It would appear that their Class 3
certificates do so, however, it isn't clear whether or not their Class 1
certs do.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Binary: Possessing the ability to have friends of both sexes.
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2011 3:37am
I'm aware about this issue. These certificates was issued by
their resellers and not sure if Comodo allows them to perform
root certification signing.
The links I posted refer to a couple of the latest issues with
Comodo; there are more, just a matter of seeking past issues;
as for my "stay away", it's my personal opinion, see, given
those past records (and the issues I posted) and given the
kind of reactions from Comodo, I'm sorry to say I can't trust
them hence my suggestion; then, that's just me, and anyone
is, by the way, free to decide otherwise
June 9th, 2011 3:38am
On Wed, 8 Jun 2011 13:30:20 +0000, ObiWan wrote:
and why Microsoft decided to move over to "someone else" for certain stuff
To be pedantic, Microsoft made no such decision. Whether or not an
organization's root CA is part of the Microsoft Root Certificate Program is
not something Microsoft decides, it is something the vendor in question
decides to apply for.
http://technet.microsoft.com/en-us/library/cc751157.aspx
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Thrashing is just virtual crashing.
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2011 3:41am
To be pedantic, Microsoft made no such decision.
Whether or not an organization's root CA is part of
Hm... ok, I stand corrected ... going to wear the dunce cap and sit in a
corner for a while
June 9th, 2011 5:18am