
Ask HN: Looking for someone to help create a trusted CA - PixelPaul
Hello,
This may be a long shot. but no harm in asking right?
Does anyone have any experience in create a trusted certificate authority. Creating all the need Infrastructure, guidelines and submissions to get the root certificate included in all major browsers, OSs, devices etc..
And would they be interested in a new project.
If so please message me.
======
Ayesh
Shitpost:
[https://bugzilla.mozilla.org/show_bug.cgi?id=647959](https://bugzilla.mozilla.org/show_bug.cgi?id=647959)

Running a CA is not easy, and getting your root certificates included in
trusted roots is even harder.

For the technical aspects of it, you will need an HSM for the root
certificates generated, OCSP servers, a CRL mechanism, and the signing server.
Many enterprises already run their own private CA, and there are plenty of
free and open source software.

The difficult part is convincing root CA programs. Mozilla, Google, and Apple
would be the start, but I suppose Curl/Java/Debian (which sync with Mozilla)
will take some time to catch-up too. You need to be audited (by firms like
KPMG and they don't come cheap), and they expect a certain level of
transparency.

Why would you want to become a CA in the first place? Amazon and cpanel are
root CAs that issue certificate for free. LetsEncrypt is free and issues
certificates to everyone. I don't think there's any financial profit to be
made anymore.

~~~
nurettin
> LetsEncrypt is free and issues certificates to everyone

When using free providers, you will notice that the issued to -> organization
field will be empty. Free providers do not compete with company validating
trust authorities. They are just developer tools.

~~~
deadbunny
What nonsense. Extended validation schemes are snake oil peddled by CAs to
make more money.

~~~
nurettin
It is all nonsense until money is involved and customers want to know that the
advertised website actually belongs to your legal entity.

~~~
dividuum
Does not help in any real way. See [https://arstechnica.com/information-
technology/2017/12/nope-...](https://arstechnica.com/information-
technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-
think-it-is/) for an example.

~~~
mehrdadn
There's a huge difference between "it isn't impossible to bypass" and "does
not help in any real way".

~~~
dividuum
The only reason to get EV certs is the supposedly "safe" green organization
field. As demonstrated it can be circumvented by anyone with minimal monetary
motivation. Why even bother in that case? I rate that as "does not help in any
real way".

~~~
mehrdadn
> As demonstrated it can be circumvented by anyone with minimal monetary
> motivation. Why even bother in that case?

Same goes for the lock on your door. Why do you bother? Just take it off.

~~~
dividuum
I never said that. The alternative isn't no lock of course. It's the free lock
that's equally safe to the one with the green "this is safe" sticker that you
pay a premium for.

~~~
mehrdadn
You do realize the "lock" in this analogy that you claimed "does not help in
any real way" is the EV, not the encryption?

~~~
dividuum
I'm not going to continue this argument as it seems pointless. There's a
reason Chrome and others moved away from prominently showing EV properties:

[https://chromium.googlesource.com/chromium/src/+/HEAD/docs/s...](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-
to-page-info.md)

~~~
mehrdadn
There most certainly was a reason, just not _your_ reason (circumvention).
Read the page you linked to. It literally says "users did not notice it",
"users do not notice their absence", "users do not react as intended to
positive or neutral security UI". It was user-focused. Not attacker-focused.

But I do agree it's pointless to keep continuing this.

------
woodrow
Two things:

1) You have no contact info in your profile.

2) As throwaway pointed out, this is an expensive task to undertake and, at
least based on your post, it's not clear what you hope to gain from building
another CA that's sufficiently trustworthy to be accepted into the Web PKI
root stores. Beyond free certs (Let's Encrypt), your needs might also be
satisfied by something like Digicert's Dedicated Intermediate program [1]
where they will build and manage a "sub-CA" (subordinate CA) for you that
chains up to their widely trusted roots. This allows you to control
certificates issued under that sub-CA (as long your requests also fall within
the baseline requirements) but saves you from the management and compliance
overhead of a truly new CA.

[1] [https://www.digicert.com/dedicated-
intermediate/](https://www.digicert.com/dedicated-intermediate/)

~~~
PixelPaul
Thanks for the DigiCert link. Are there other CAs that offer the same service
that you know of? As DigiCert is very very very expensive as they target the
top end enterprise.

~~~
toast0
You haven't told us why you want to be a CA?

What is it that you want to do, that you think you can do as a CA, but not as
a customer/reseller of a CA?

In my experience as a CA customer, DigiCert is certainly expensive, but with
that expense comes quite a bit of flexibility. Flexibility that might be able
to meet your needs. Anyway, I would be amazed if the sub CA from Digicert
program is more expensive than running a full blown CA, including the time and
effort to get the CA into trust stores.

Plus, you're going to need to get a CA to sign your root / your intermediates
while you wait for all the trust stores your customers care about to get
updated; and by get updated, I really mean for your customers' customers to
throw away their old devices. Your average Android device gets zero software
updates, and lasts up to 7 years in your customers' customers hands, and who
knows how many years behind upstream the manufacturer was when they built the
thing.

------
exikyut
Considering all of the, uh, _interesting_ goings-on that have happened in the
CA world over the past few years, the first thing you need is trust and
transparency. Buckets of it. Preferably your own personal waterfall.

I get the impression you may not be aware of the fairly unbounded levels of
paranoia and suspicion that make up the bulk of public (personal and
corporate) opinion about CA trustworthiness.

You very obviously have a motivation and agenda to post here, and for the sake
of simplicity I trust that this is benign. But not actually documenting that
rationale, let alone adding some reassuring arguments, kind of comes across to
me as Step #1 in How To Successfully Not Succeed At Being A CA.

------
grizzles
The technology side is super easy if you know what you are doing. Getting your
cert into the browsers is the problem. It's a political / sales & marketing
type of problem. Why should they? You need a pretty convincing answer. Because
it's pretty hard to motivate Google or Microsoft with the offer of a cash
payment. It depends on what you mean but getting a cert into OSs / devices
should be a lot easier.

~~~
duskwuff
> The technology side is super easy if you know what you are doing.

There are some nontrivial technical aspects which will be required if you want
any certificate stores (browsers, operating systems, etc) to take you
seriously.

Running `openssl ca` a few times won't cut it. You'll need a honest-to-god HSM
to store your root keys in, a witnessed procedure for generating those keys,
and some ironclad policies on access to those keys. This isn't something you
can half-ass and fix later; if there's any doubt about who might have access
to the root keys, the CA will never be trusted.

------
throwaway888abc
Relevant [https://letsencrypt.org/2016/09/20/what-it-costs-to-run-
lets...](https://letsencrypt.org/2016/09/20/what-it-costs-to-run-lets-
encrypt.html)

------
slrz
I'd be more optimistic if you had included a note that you know the history of
CAcert
([https://en.wikipedia.org/wiki/CAcert.org](https://en.wikipedia.org/wiki/CAcert.org))
and have a plan on how to tackle the issues that prevented its roots from
getting into the common trust stores.

------
pjc50
It's something only a handful of people have done, and realistically you'll
need a certain amount of business cred to be seen as a plausible CA. And it's
hard to compete with Let's Encrypt ..

------
frogcoder
I'm no expert on creating a CA. The changelog recently has an episode on Let's
Encrypt. It covered a lot about how Let's Encrypt got started. Quiet an
amazing job, I think you should listen to it or at least read the transcript.

[https://changelog.com/podcast/389](https://changelog.com/podcast/389)

------
mister_hn
What's your plan? Creating something in the style of Let's Encrypt (all free,
all open source) or in the style of Comodo/Verisign/etc. (Paid, closed
source)?

You might start using software like PrimeKey Ejbca (Enterprise Edition),
Microsoft Server 2019 with Certification Authority or some wrappers around
openssl that are available online.

------
larsrc
Wait - you're asking random strangers to help you create one of the
cornerstones of trust on the internet?

------
jamieweb
Other commenters have already covered the political/financial difficulties of
this, so I won't mention those.

However, the journey of CertSimple may be marginally relevant to what you're
proposing.

They were a small CA focusing entirely on the easy issuance of Extended
Validation certs.

Disregarding the fact that EV never actually had any proven value (except for
some code signing use cases), they did have a nice little business.

As far as I know it was a one-person company at first, and they were able to
piggyback off the infrastructure of an existing CA. I can't remember whether
it was an intermediate cert or simply reselling.

I was going to link to them but they seem to have shut down or been absorbed
into another company.

~~~
exikyut
Yup, absorbed into
[https://expeditedsecurity.com/certsimple/](https://expeditedsecurity.com/certsimple/)

------
phonon
Start by being a reseller.

[https://www.namecheap.com/resellers/ssl-certificates/how-
it-...](https://www.namecheap.com/resellers/ssl-certificates/how-it-works/)

~~~
PixelPaul
Not exactly what I asked or what is wanted sorry. Plus namecheap are terrible
as a reseller

~~~
stedaniels
Being a reseller puts you in the path to being a trusted CA.

------
jlgaddis
You'll probably want to read the Mozilla Root Store Policy [0], if you haven't
already.

Oh, and be prepared to spend tens or hundreds of thousands of dollars over the
next few years while this process plays out and your CA certificate actually
gets added to the root store in the various browsers.

\---

[0]: [https://www.mozilla.org/en-
US/about/governance/policies/secu...](https://www.mozilla.org/en-
US/about/governance/policies/security-group/certs/policy/)

------
cjbprime
Like everyone else is saying, this is something that will cost you millions of
dollars in startup costs in order to compete with a product (Let's Encrypt)
that's free of charge.

------
zupreme
Ignore anyone telling you that what you propose is technically difficult. It
is not.

The code for what you want to do has been baked into Windows Server since
2008. It also exists in OpenSSL.

The CA part is easy. The “getting the world to trust your CA” is the part most
would call “difficult”.

If you can do the latter, ALOT of people here can do the former, and you will
likely succeed.

If you cannot do the latter, you will likely fail in the effort.

~~~
oarsinsync
The CA part is incredibly easy if you don’t need to consider security.

The difficulty then ramps up the more secure you want (or need) it to be.

------
pgporada
You'll want to study the Baseline Requirements and join the various forums
such as MozDevSecurityPolicy (MDSP). Do you have a business plan for this
month, year, next year, 2 years out? Are you ready to not sleep and hate
yourself for an undetermined time as you get this thing bootstrapped?

------
tomklein
I'm not a pro, but I researched this topic a while ago. Would love to help as
best as I can. Email is in my HN profile.

