|
|
|
|
|
|
by grizzles
2252 days ago
|
|
|
The technology side is super easy if you know what you are doing. Getting your cert into the browsers is the problem. It's a political / sales & marketing type of problem. Why should they? You need a pretty convincing answer. Because it's pretty hard to motivate Google or Microsoft with the offer of a cash payment.
It depends on what you mean but getting a cert into OSs / devices should be a lot easier. |
|
|
There are some nontrivial technical aspects which will be required if you want any certificate stores (browsers, operating systems, etc) to take you seriously.
Running `openssl ca` a few times won't cut it. You'll need a honest-to-god HSM to store your root keys in, a witnessed procedure for generating those keys, and some ironclad policies on access to those keys. This isn't something you can half-ass and fix later; if there's any doubt about who might have access to the root keys, the CA will never be trusted.