I think the below resources are a good start.<p>This makes me curious: Do you have a specific goal in mind?<p><a href="https://github.com/mozilla/pkipolicy">https://github.com/mozilla/pkipolicy</a><p><a href="https://www.ccadb.org/" rel="nofollow">https://www.ccadb.org/</a><p><a href="https://cabforum.org/" rel="nofollow">https://cabforum.org/</a>
The difficult part of running a ca is convincing others you’re trustworthy. You need to have your business processes audited but an independent third party and then wait for your root to be adopted and deployed in browsers.<p>The value in exiting providers is their reach; versign for example is deployed in practically every trusted root bundle. When GoDaddy wanted to enter the market, they bought Starfield who already had a root which was widely trusted and crossed that with their own.<p>The reason people will pay for you to compute a number based on a number they give you and your super secret number is that people trust what you’re doing with your super secret number. And that trust takes time.