
Ask HN: How to become a root CA? - panching
Is there a way to become a Root Certificate Authority, and how much does it cost and time too.
======
wolrah
Start here: [https://cabforum.org/baseline-requirements-
documents/](https://cabforum.org/baseline-requirements-documents/)

Those are the minimum requirements you'll have to meet to get pretty much any
browser vendor or OS developer to take you seriously and consider including
your cert as trusted by default. Some have further requirements.

Apple:
[https://www.apple.com/certificateauthority/ca_program.html](https://www.apple.com/certificateauthority/ca_program.html)

Google: [https://www.chromium.org/Home/chromium-security/root-ca-
poli...](https://www.chromium.org/Home/chromium-security/root-ca-policy)

Microsoft: [https://technet.microsoft.com/en-
us/library/cc751157.aspx](https://technet.microsoft.com/en-
us/library/cc751157.aspx)

Mozilla: [https://www.mozilla.org/en-
US/about/governance/policies/secu...](https://www.mozilla.org/en-
US/about/governance/policies/security-group/certs/policy/)

As noted Let's Encrypt is a fairly well documented example of how this plays
out in the real world.

I would of course note though that this is one of those questions where if you
have to ask you probably can't do it.

~~~
duskwuff
I'd also note that, in the wake of recent fiascos like Startcom/Wosign,
Symantec, and Trustico, browser manufacturers are going to be extremely wary
of new CAs -- and especially of ones operated by companies with no history in
security.

~~~
nailer
Depends. Amazon CA and LE are new, there's another big one on the way. If your
WebTrust audit passes and you can demonstrate you know what you're doing, I
see no reason to. Cross signing for a new CA (so you work in old browsers) is
about 2M on the open market.

------
majewsky
I cannot tell much about how to become a root CA, but this classic contains
everything about how _not_ to become a root CA:
[https://bugzilla.mozilla.org/show_bug.cgi?id=647959](https://bugzilla.mozilla.org/show_bug.cgi?id=647959)

------
number6
You can look at the history of Lets Encrypt. 3 Million $ and about 4 years

------
stevefan1999
You need to have a large sum of money because you need to keep your
infrastructure intact and maintainable, this is a must. If you cannot issue
certs in time, you broke a promise. If you broke a promise, people distrust
you.

Second, you have to hire a lot of security and network guy to ensure your
operation is professionally carried out and will devote to do things
seriously. They will make sure that no other people can steal the derivation
of your identity. This is very essential because if any hackers intruded your
system, they could steal the trust you built for a long time.

------
castillar76
/u/wolrah's links[0] are a great place to start reading up on this. A root CA
intending to distribute SSL certificates will have to adhere to all of the
CA/Browser Forum requirements documents, plus the additional requirements
imposed by each of the browsers for entry into their individual trust stores
(the Apple/Google/Mozilla/Microsoft links included).

To do this, you'll need to stand up an offline root CA in a secure location,
then create an issuing CA that will issue certificates. That whole thing must
be created ab initio in compliance with the requirements and be operated in
compliance at all times. To demonstrate that, you'll then need to pay an
outside, accredited audit firm to come in and attest that you're following the
rules. They issue an attestation letter stating that they reviewed your
operations and your assertion that you're following the rules is valid for the
period of time you state: basically, you operate the CA for a period of time,
then they come in and review your evidence for that period of time that shows
you're doing the right things. The smallest they'll usually feel comfortable
doing that for is typically sixty days, although you can get what's called a
Point In Time audit that says "they were doing the right thing at this
specific moment". Those audits will cover both the WebTrust for Certificate
Authorities[1] requirements and the WebTrust for Certificate Authorities — SSL
Baseline with Network Security requirements[2]. They overlap, but they're two
separate attestation letters with two separate seals, for which you'll pay
somewhere in the neighborhood of $75k-$100k for a root CA and its issuing CA.

Once you have your audits in hand, you can apply to each of the trust stores
for admission through the Common CA Database[3] that all of the trust stores
are slowly gravitating towards. You'll have to supply all of your paperwork,
the audit letter URLs, and all of the information about your CA for their
deliberation.

The requirements (in particular the CA/Browser Forum reqs that are encompassed
in the WebTrust with SSL Baseline) have some specifics around uptime, regular
operations, separation of duties, and validation of security, so this is
definitely a very full-time occupation: once it's going, you can't _ever_ stop
it or lose vigilance, or you risk losing your audit. Lose your audit, and
you'll be pushed out of the browser stores.

[0]
[https://news.ycombinator.com/item?id=17390183](https://news.ycombinator.com/item?id=17390183)
[1] [http://www.webtrust.org/principles-and-
criteria/docs/item852...](http://www.webtrust.org/principles-and-
criteria/docs/item85228.pdf) [2] [http://www.webtrust.org/principles-and-
criteria/docs/item854...](http://www.webtrust.org/principles-and-
criteria/docs/item85437.PDF) [3] [https://ccadb.org](https://ccadb.org)

------
evgen
Honest response: if you have to ask the question here then you don't have the
money, experience/skills, or contacts to become a root CA.

~~~
quickthrower2
A lot of big journeys start with a question.

There is no reason to believe he/she can't learn everything they need, build
the contacts and raise the money. And also maybe the OP is asking to increase
their knowledge without actually doing it, which is a fine thing to do, and is
why people read sites like Wikipedia and HN.

