Hello,
This may be a long shot. but no harm in asking right?
Does anyone have any experience in create a trusted certificate authority. Creating all the need Infrastructure, guidelines and submissions to get the root certificate included in all major browsers, OSs, devices etc..
And would they be interested in a new project.
If so please message me.
Shitpost: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=647959" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=647959</a><p>Running a CA is not easy, and getting your root certificates included in trusted roots is even harder.<p>For the technical aspects of it, you will need an HSM for the root certificates generated, OCSP servers, a CRL mechanism, and the signing server. Many enterprises already run their own private CA, and there are plenty of free and open source software.<p>The difficult part is convincing root CA programs. Mozilla, Google, and Apple would be the start, but I suppose Curl/Java/Debian (which sync with Mozilla) will take some time to catch-up too. You need to be audited (by firms like KPMG and they don't come cheap), and they expect a certain level of transparency.<p>Why would you want to become a CA in the first place? Amazon and cpanel are root CAs that issue certificate for free. LetsEncrypt is free and issues certificates to everyone. I don't think there's any financial profit to be made anymore.
Two things:<p>1) You have no contact info in your profile.<p>2) As throwaway pointed out, this is an expensive task to undertake and, at least based on your post, it's not clear what you hope to gain from building another CA that's sufficiently trustworthy to be accepted into the Web PKI root stores. Beyond free certs (Let's Encrypt), your needs might also be satisfied by something like Digicert's Dedicated Intermediate program [1] where they will build and manage a "sub-CA" (subordinate CA) for you that chains up to their widely trusted roots. This allows you to control certificates issued under that sub-CA (as long your requests also fall within the baseline requirements) but saves you from the management and compliance overhead of a truly new CA.<p>[1] <a href="https://www.digicert.com/dedicated-intermediate/" rel="nofollow">https://www.digicert.com/dedicated-intermediate/</a>
Considering all of the, uh, <i>interesting</i> goings-on that have happened in the CA world over the past few years, the first thing you need is trust and transparency. Buckets of it. Preferably your own personal waterfall.<p>I get the impression you may not be aware of the fairly unbounded levels of paranoia and suspicion that make up the bulk of public (personal and corporate) opinion about CA trustworthiness.<p>You very obviously have a motivation and agenda to post here, and for the sake of simplicity I trust that this is benign. But not actually documenting that rationale, let alone adding some reassuring arguments, kind of comes across to me as Step #1 in How To Successfully Not Succeed At Being A CA.
The technology side is super easy if you know what you are doing. Getting your cert into the browsers is the problem. It's a political / sales & marketing type of problem. Why should they? You need a pretty convincing answer. Because it's pretty hard to motivate Google or Microsoft with the offer of a cash payment.
It depends on what you mean but getting a cert into OSs / devices should be a lot easier.
I'd be more optimistic if you had included a note that you know the history of CAcert (<a href="https://en.wikipedia.org/wiki/CAcert.org" rel="nofollow">https://en.wikipedia.org/wiki/CAcert.org</a>) and have a plan on how to tackle the issues that prevented its roots from getting into the common trust stores.
It's something only a handful of people have done, and realistically you'll need a certain amount of business cred to be seen as a plausible CA. And it's hard to compete with Let's Encrypt ..
I'm no expert on creating a CA. The changelog recently has an episode on Let's Encrypt. It covered a lot about how Let's Encrypt got started. Quiet an amazing job, I think you should listen to it or at least read the transcript.<p><a href="https://changelog.com/podcast/389" rel="nofollow">https://changelog.com/podcast/389</a>
What's your plan? Creating something in the style of Let's Encrypt (all free, all open source) or in the style of Comodo/Verisign/etc. (Paid, closed source)?<p>You might start using software like PrimeKey Ejbca (Enterprise Edition), Microsoft Server 2019 with Certification Authority or some wrappers around openssl that are available online.
Other commenters have already covered the political/financial difficulties of this, so I won't mention those.<p>However, the journey of CertSimple may be marginally relevant to what you're proposing.<p>They were a small CA focusing entirely on the easy issuance of Extended Validation certs.<p>Disregarding the fact that EV never actually had any proven value (except for some code signing use cases), they did have a nice little business.<p>As far as I know it was a one-person company at first, and they were able to piggyback off the infrastructure of an existing CA. I can't remember whether it was an intermediate cert or simply reselling.<p>I was going to link to them but they seem to have shut down or been absorbed into another company.
Start by being a reseller.<p><a href="https://www.namecheap.com/resellers/ssl-certificates/how-it-works/" rel="nofollow">https://www.namecheap.com/resellers/ssl-certificates/how-it-...</a>
You'll probably want to read the Mozilla Root Store Policy [0], if you haven't already.<p>Oh, and be prepared to spend tens or hundreds of thousands of dollars over the next few years while this process plays out and your CA certificate actually gets added to the root store in the various browsers.<p>---<p>[0]: <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/" rel="nofollow">https://www.mozilla.org/en-US/about/governance/policies/secu...</a>
Like everyone else is saying, this is something that will cost you millions of dollars in startup costs in order to compete with a product (Let's Encrypt) that's free of charge.
Ignore anyone telling you that what you propose is technically difficult. It is not.<p>The code for what you want to do has been baked into Windows Server since 2008. It also exists in OpenSSL.<p>The CA part is easy. The “getting the world to trust your CA” is the part most would call “difficult”.<p>If you can do the latter, ALOT of people here can do the former, and you will likely succeed.<p>If you cannot do the latter, you will likely fail in the effort.
You'll want to study the Baseline Requirements and join the various forums such as MozDevSecurityPolicy (MDSP). Do you have a business plan for this month, year, next year, 2 years out? Are you ready to not sleep and hate yourself for an undetermined time as you get this thing bootstrapped?