Is it possible to purchase a single trusted root cert and setup a CA that chains its certs to the root? We have multiple subdomains hosted on different machines. We would like to buy a single cert from Verisign, Thwarte, or Network Solutions and host our own CA. We would want this CA to issue certs that can be used for our public webservices.

yes, it is possible. This called as Root Certificate Signing. This question was already discussed: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/b6e252cc-8213-4f55-ac65-80f069da22af My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

thanks. I'll also mention that MS added a CA that offers free trusted root certificates. See link below for more info. http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/

http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/ Yes, that's a good one !!! Just a last suggestion, stay AWAY from "Comodo"

http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/ Yes, that's a good one !!! Just a last suggestion, stay AWAY from "Comodo" why?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/ Yes, that's a good one !!! Just a last suggestion, stay AWAY from "Comodo" why? Because I tell you so :D - no ok, seriously ... http://www.microsoft.com/technet/security/advisory/2524375.mspx http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ http://www.eweek.com/c/a/Security/Fake-SSL-Certificate-Incident-Highlights-Flaws-in-DNS-Comodo-CEO-440985/ http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/ http://threatpost.com/en_us/blogs/mozilla-says-it-erred-not-disclosing-comodo-attack-earlier-032511 http://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/ and the stuff below is just the "tip" of the icerberg, I may post more stuff, but I think the above will allow you to understand why I'm suggesting to avoid "comodo" ... and why Microsoft decided to move over to "someone else" for certain stuff

I'm aware about this issue. These certificates was issued by their resellers and not sure if Comodo allows them to perform root certification signing.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

On Wed, 8 Jun 2011 12:21:07 +0000, MegaRAM wrote: thanks.? I'll also mention that MS added a CA that offers free trusted root certificates.? See link below for more info. ? > http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows You're a little confused as to what is and is not offered for free by StartSSL. StartSSL only offers unverified, low assurance SSL certificates for free. They do not, as you state above, offer free trusted root certificates. If you want to host your own issuing CA that chains to a public root, then you're looking at their StartCom Intermediate Certificate Authority Program which is not free, and the intermediate CA is hosted by StartSSL. It also isn't clear from their web site whether or not these certs actually chain to a publicly trusted root or not. It would appear that their Class 3 certificates do so, however, it isn't clear whether or not their Class 1 certs do. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Binary: Possessing the ability to have friends of both sexes.

I'm aware about this issue. These certificates was issued by their resellers and not sure if Comodo allows them to perform root certification signing. The links I posted refer to a couple of the latest issues with Comodo; there are more, just a matter of seeking past issues; as for my "stay away", it's my personal opinion, see, given those past records (and the issues I posted) and given the kind of reactions from Comodo, I'm sorry to say I can't trust them hence my suggestion; then, that's just me, and anyone is, by the way, free to decide otherwise

On Wed, 8 Jun 2011 13:30:20 +0000, ObiWan wrote: and why Microsoft decided to move over to "someone else" for certain stuff To be pedantic, Microsoft made no such decision. Whether or not an organization's root CA is part of the Microsoft Root Certificate Program is not something Microsoft decides, it is something the vendor in question decides to apply for. http://technet.microsoft.com/en-us/library/cc751157.aspx Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Thrashing is just virtual crashing.

To be pedantic, Microsoft made no such decision. Whether or not an organization's root CA is part of Hm... ok, I stand corrected ... going to wear the dunce cap and sit in a corner for a while