A 3rd party API we're hoping to work with need a Client Certificate for authentication of our backend servers. However, contrary to (as I understand it) the general practice of using self signed certificates, they are asking for a certificate issued by a trusted CA.<p>I've gotten in touch with a few of the largest SSL certificate providers, and all but one of them has responded to my query so far.<p>The one that responded has quoted a price > USD 2K for what they call "PKI infrastructure" setup, and around $50 for each generated certificate. The $50 is fine, the $2K is too much IMHO.<p>Has anyone on HN dealt with such requirements before? If so, which certificate vendor did you end up using, and what was the approximate costing and general experience?
It's pretty weird for an API to ask for a client certificate.<p>We have a client certificate authentication in one of our projects. We hold the root CA key (self-signed), and this key is used to sign intermediate certificates, whose root private keys are held by our resellers. They issue client certificates, so we can easily find the reseller and end user.<p>With a public CA issueing client certificates, I wonder how you can authenticate clients at all, because any root CA can issue certificates now.<p>Or perhaps they are asking for S/MIME certificates?
Depending on the criticity of your protected service, you could probably just be your own Certificate Authority, and publish the root certificate internally. How many machines are we talking about?<p>A local PKI is probably overkill. Do you intend to give every single coworker a certificate on their own smartcard? If not, PKI is most probably not needed.<p><a href="https://github.com/OpenVPN/easy-rsa" rel="nofollow">https://github.com/OpenVPN/easy-rsa</a> + two USB thumb drives in a safe (primary + backup) + one off-site in another safe.<p>Client certificates are kind of hard to ask a global PKI for, because you usually use some internal names, not public FQDNs...