
Ask HN: Where do you get CA validated “Client Certificates”? - asadjb
A 3rd party API we&#x27;re hoping to work with need a Client Certificate for authentication of our backend servers. However, contrary to (as I understand it) the general practice of using self signed certificates, they are asking for a certificate issued by a trusted CA.<p>I&#x27;ve gotten in touch with a few of the largest SSL certificate providers, and all but one of them has responded to my query so far.<p>The one that responded has quoted a price &gt; USD 2K for what they call &quot;PKI infrastructure&quot; setup, and around $50 for each generated certificate. The $50 is fine, the $2K is too much IMHO.<p>Has anyone on HN dealt with such requirements before? If so, which certificate vendor did you end up using, and what was the approximate costing and general experience?
======
Ayesh
It's pretty weird for an API to ask for a client certificate.

We have a client certificate authentication in one of our projects. We hold
the root CA key (self-signed), and this key is used to sign intermediate
certificates, whose root private keys are held by our resellers. They issue
client certificates, so we can easily find the reseller and end user.

With a public CA issueing client certificates, I wonder how you can
authenticate clients at all, because any root CA can issue certificates now.

Or perhaps they are asking for S/MIME certificates?

------
moviuro
Depending on the criticity of your protected service, you could probably just
be your own Certificate Authority, and publish the root certificate
internally. How many machines are we talking about?

A local PKI is probably overkill. Do you intend to give every single coworker
a certificate on their own smartcard? If not, PKI is most probably not needed.

[https://github.com/OpenVPN/easy-rsa](https://github.com/OpenVPN/easy-rsa) \+
two USB thumb drives in a safe (primary + backup) + one off-site in another
safe.

Client certificates are kind of hard to ask a global PKI for, because you
usually use some internal names, not public FQDNs...

~~~
asadjb
I'd love to use my own CA, but the 3rd party that needs these certificates
wants them issued by a trusted CA; essentially a CA trusted by the browsers by
default.

Have you ever run into a similar situation?

~~~
moviuro
Nope, this really is weird. Can't you add a root CA to the machine providing
the service? e.g.
[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_...](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate)

~~~
asadjb
Unfortunately no. That's how I think client certificates are usually given;
generated with a self signed CA, but this 3rd party API want's a pre-trusted
CA, not a self signed one.

~~~
moviuro
I still can't understand what's going on :(

Who's doing what, and which machine connects to the other one?

------
forgottenpass
Any reason you can't get a cert for those machines as if they were going to be
https hosts, and use that?

