Re: Self-issued certificates and commercial certificates.

From: Alun Jones [MS MVP] (alun_at_texis.invalid)
Date: 05/01/04 

Date: Sat, 01 May 2004 13:24:55 GMT

In article <c6trlf$28n$1@news.f.de.plusline.net>, "Lord Amoeba"
<lordamoeba@hotmail.com> wrote:
>First of all, sorry, but I'm just getting started with certificate-based
>security, and I may not understand all the concepts yet. Here's my
>question: can one obtain a root certificate from a commercial authority like
>Verisign and then self-issue certificates that would point back to the
>commercial cert in the certification chain? Is such a hybrid possible?
>This is solely for SSL purposes.

You can obtain a CA certificate from Verisign, but I think you'll find it
costs a lot of money.

A root CA certificate is simply a CA certificate that is installed directly
at the host computer as a "trusted root", rather than one that has to refer
up a chain to another CA that is a trusted root.

To get a root CA into Windows, you'd need to contact Microsoft and spend
some time and money convincing them that your CA is going to be acceptably
run, so that they can add you to the next round of Internet Explorer
updates.

It sounds like you are just looking for a CA certificate from Verisign (or
some other CA).

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
    (microsoft.public.windows.server.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
Quantcast