Hacker News new | ask | show | jobs
Ask HN: Looking for someone to help create a trusted CA
38 points by PixelPaul 2246 days ago
Hello, This may be a long shot. but no harm in asking right? Does anyone have any experience in create a trusted certificate authority. Creating all the need Infrastructure, guidelines and submissions to get the root certificate included in all major browsers, OSs, devices etc.. And would they be interested in a new project. If so please message me.
17 comments
Ayesh 2245 days ago
Shitpost: https://bugzilla.mozilla.org/show_bug.cgi?id=647959

Running a CA is not easy, and getting your root certificates included in trusted roots is even harder.

For the technical aspects of it, you will need an HSM for the root certificates generated, OCSP servers, a CRL mechanism, and the signing server. Many enterprises already run their own private CA, and there are plenty of free and open source software.

The difficult part is convincing root CA programs. Mozilla, Google, and Apple would be the start, but I suppose Curl/Java/Debian (which sync with Mozilla) will take some time to catch-up too. You need to be audited (by firms like KPMG and they don't come cheap), and they expect a certain level of transparency.

Why would you want to become a CA in the first place? Amazon and cpanel are root CAs that issue certificate for free. LetsEncrypt is free and issues certificates to everyone. I don't think there's any financial profit to be made anymore.

link
a1369209993 2245 days ago
> Shitpost: https://bugzilla.mozilla.org/show_bug.cgi?id=647959

> The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money.

Well, they're more honest than any current certificate authority.

link
nurettin 2245 days ago
> LetsEncrypt is free and issues certificates to everyone

When using free providers, you will notice that the issued to -> organization field will be empty. Free providers do not compete with company validating trust authorities. They are just developer tools.

link
deadbunny 2245 days ago
What nonsense. Extended validation schemes are snake oil peddled by CAs to make more money.
link
nurettin 2245 days ago
It is all nonsense until money is involved and customers want to know that the advertised website actually belongs to your legal entity.
link
dividuum 2245 days ago
Does not help in any real way. See https://arstechnica.com/information-technology/2017/12/nope-... for an example.
link
mehrdadn 2245 days ago
There's a huge difference between "it isn't impossible to bypass" and "does not help in any real way".
link
nurettin 2245 days ago
I pointed out that letsencrypt does not compete in the same space with some providers and I get responses from internet freedom activists who don't want to acknowledge the fact. If shit is broken and doesn't work, you don't use it to make a point, you go fix it.
link
Ayesh 2245 days ago
> They are just developer tools

A CA is a CA. A developer tool would be you signing certificates with your own private CA. LetsEncrypt is often better as they support must-staple, CT timestamps in certificates themselves, and ECDSA leaf certificates support.

The snakeoil pitch would have worked 3-4 years back when browsers shows a big yellow label in address bar, but as of now, they all look the same regardless if its a DV, OV, or EV certificate unless you click your way through the certificate information.

link
toast0 2245 days ago
You might notice that, but very few other people do.
link
bassman9000 2245 days ago
No one, other than us, cares about that.
link
woodrow 2246 days ago
Two things:

1) You have no contact info in your profile.

2) As throwaway pointed out, this is an expensive task to undertake and, at least based on your post, it's not clear what you hope to gain from building another CA that's sufficiently trustworthy to be accepted into the Web PKI root stores. Beyond free certs (Let's Encrypt), your needs might also be satisfied by something like Digicert's Dedicated Intermediate program [1] where they will build and manage a "sub-CA" (subordinate CA) for you that chains up to their widely trusted roots. This allows you to control certificates issued under that sub-CA (as long your requests also fall within the baseline requirements) but saves you from the management and compliance overhead of a truly new CA.

[1] https://www.digicert.com/dedicated-intermediate/

link
PixelPaul 2245 days ago
Thanks for the DigiCert link. Are there other CAs that offer the same service that you know of? As DigiCert is very very very expensive as they target the top end enterprise.
link
toast0 2245 days ago
You haven't told us why you want to be a CA?

What is it that you want to do, that you think you can do as a CA, but not as a customer/reseller of a CA?

In my experience as a CA customer, DigiCert is certainly expensive, but with that expense comes quite a bit of flexibility. Flexibility that might be able to meet your needs. Anyway, I would be amazed if the sub CA from Digicert program is more expensive than running a full blown CA, including the time and effort to get the CA into trust stores.

Plus, you're going to need to get a CA to sign your root / your intermediates while you wait for all the trust stores your customers care about to get updated; and by get updated, I really mean for your customers' customers to throw away their old devices. Your average Android device gets zero software updates, and lasts up to 7 years in your customers' customers hands, and who knows how many years behind upstream the manufacturer was when they built the thing.

link
exikyut 2245 days ago
Considering all of the, uh, interesting goings-on that have happened in the CA world over the past few years, the first thing you need is trust and transparency. Buckets of it. Preferably your own personal waterfall.

I get the impression you may not be aware of the fairly unbounded levels of paranoia and suspicion that make up the bulk of public (personal and corporate) opinion about CA trustworthiness.

You very obviously have a motivation and agenda to post here, and for the sake of simplicity I trust that this is benign. But not actually documenting that rationale, let alone adding some reassuring arguments, kind of comes across to me as Step #1 in How To Successfully Not Succeed At Being A CA.

link
grizzles 2246 days ago
The technology side is super easy if you know what you are doing. Getting your cert into the browsers is the problem. It's a political / sales & marketing type of problem. Why should they? You need a pretty convincing answer. Because it's pretty hard to motivate Google or Microsoft with the offer of a cash payment. It depends on what you mean but getting a cert into OSs / devices should be a lot easier.
link
duskwuff 2245 days ago
> The technology side is super easy if you know what you are doing.

There are some nontrivial technical aspects which will be required if you want any certificate stores (browsers, operating systems, etc) to take you seriously.

Running `openssl ca` a few times won't cut it. You'll need a honest-to-god HSM to store your root keys in, a witnessed procedure for generating those keys, and some ironclad policies on access to those keys. This isn't something you can half-ass and fix later; if there's any doubt about who might have access to the root keys, the CA will never be trusted.

link
throwaway888abc 2246 days ago
Relevant https://letsencrypt.org/2016/09/20/what-it-costs-to-run-lets...
link
slrz 2245 days ago
I'd be more optimistic if you had included a note that you know the history of CAcert (https://en.wikipedia.org/wiki/CAcert.org) and have a plan on how to tackle the issues that prevented its roots from getting into the common trust stores.
link
pjc50 2246 days ago
It's something only a handful of people have done, and realistically you'll need a certain amount of business cred to be seen as a plausible CA. And it's hard to compete with Let's Encrypt ..
link
frogcoder 2245 days ago
I'm no expert on creating a CA. The changelog recently has an episode on Let's Encrypt. It covered a lot about how Let's Encrypt got started. Quiet an amazing job, I think you should listen to it or at least read the transcript.

https://changelog.com/podcast/389

link
mister_hn 2246 days ago
What's your plan? Creating something in the style of Let's Encrypt (all free, all open source) or in the style of Comodo/Verisign/etc. (Paid, closed source)?

You might start using software like PrimeKey Ejbca (Enterprise Edition), Microsoft Server 2019 with Certification Authority or some wrappers around openssl that are available online.

link
larsrc 2245 days ago
Wait - you're asking random strangers to help you create one of the cornerstones of trust on the internet?
link
jamieweb 2245 days ago
Other commenters have already covered the political/financial difficulties of this, so I won't mention those.

However, the journey of CertSimple may be marginally relevant to what you're proposing.

They were a small CA focusing entirely on the easy issuance of Extended Validation certs.

Disregarding the fact that EV never actually had any proven value (except for some code signing use cases), they did have a nice little business.

As far as I know it was a one-person company at first, and they were able to piggyback off the infrastructure of an existing CA. I can't remember whether it was an intermediate cert or simply reselling.

I was going to link to them but they seem to have shut down or been absorbed into another company.

link
exikyut 2245 days ago
Yup, absorbed into https://expeditedsecurity.com/certsimple/
link
phonon 2245 days ago
Start by being a reseller.

https://www.namecheap.com/resellers/ssl-certificates/how-it-...

link
PixelPaul 2245 days ago
Not exactly what I asked or what is wanted sorry. Plus namecheap are terrible as a reseller
link
stedaniels 2245 days ago
Being a reseller puts you in the path to being a trusted CA.
link
jlgaddis 2246 days ago
You'll probably want to read the Mozilla Root Store Policy [0], if you haven't already.

Oh, and be prepared to spend tens or hundreds of thousands of dollars over the next few years while this process plays out and your CA certificate actually gets added to the root store in the various browsers.

---

[0]: https://www.mozilla.org/en-US/about/governance/policies/secu...

link
cjbprime 2246 days ago
Like everyone else is saying, this is something that will cost you millions of dollars in startup costs in order to compete with a product (Let's Encrypt) that's free of charge.
link
zupreme 2245 days ago
Ignore anyone telling you that what you propose is technically difficult. It is not.

The code for what you want to do has been baked into Windows Server since 2008. It also exists in OpenSSL.

The CA part is easy. The “getting the world to trust your CA” is the part most would call “difficult”.

If you can do the latter, ALOT of people here can do the former, and you will likely succeed.

If you cannot do the latter, you will likely fail in the effort.

link
oarsinsync 2245 days ago
The CA part is incredibly easy if you don’t need to consider security.

The difficulty then ramps up the more secure you want (or need) it to be.

link
pgporada 2245 days ago
You'll want to study the Baseline Requirements and join the various forums such as MozDevSecurityPolicy (MDSP). Do you have a business plan for this month, year, next year, 2 years out? Are you ready to not sleep and hate yourself for an undetermined time as you get this thing bootstrapped?
link
tomklein 2245 days ago
I'm not a pro, but I researched this topic a while ago. Would love to help as best as I can. Email is in my HN profile.
link