[woodrow]

Two things:

1) You have no contact info in your profile.

2) As throwaway pointed out, this is an expensive task to undertake and, at least based on your post, it's not clear what you hope to gain from building another CA that's sufficiently trustworthy to be accepted into the Web PKI root stores. Beyond free certs (Let's Encrypt), your needs might also be satisfied by something like Digicert's Dedicated Intermediate program [1] where they will build and manage a "sub-CA" (subordinate CA) for you that chains up to their widely trusted roots. This allows you to control certificates issued under that sub-CA (as long your requests also fall within the baseline requirements) but saves you from the management and compliance overhead of a truly new CA.

[1] https://www.digicert.com/dedicated-intermediate/

[PixelPaul]

Thanks for the DigiCert link. Are there other CAs that offer the same service that you know of? As DigiCert is very very very expensive as they target the top end enterprise.

[toast0]

You haven't told us why you want to be a CA?

What is it that you want to do, that you think you can do as a CA, but not as a customer/reseller of a CA?

In my experience as a CA customer, DigiCert is certainly expensive, but with that expense comes quite a bit of flexibility. Flexibility that might be able to meet your needs. Anyway, I would be amazed if the sub CA from Digicert program is more expensive than running a full blown CA, including the time and effort to get the CA into trust stores.

Plus, you're going to need to get a CA to sign your root / your intermediates while you wait for all the trust stores your customers care about to get updated; and by get updated, I really mean for your customers' customers to throw away their old devices. Your average Android device gets zero software updates, and lasts up to 7 years in your customers' customers hands, and who knows how many years behind upstream the manufacturer was when they built the thing.