[jcase]

> Consider this, if I hold a certificate for fubar.com, why am I not permitted to issue a certificate for xyz.fubar.com Or, better yet - another certificate for fubar.com?

Because business model. StartSSL.com is afaik the first (only?) CA that charges solely for identity validation and then let's you create unlimited (wildcard) certificates (with the exception of EV certs).

* No ties, just a customer.

[jrabone]

Quite. You, are, of course, free to run your own CA. I rather like my version (a custom minimal Linux virtual machine, ~ 16MB, stored on an IronKey). Built from source, reasonably tamper-proof, works offline, encrypted at rest. It's a bit of pain to remember to reset the time/date every time I boot it, but it works quite well.

Sadly you'll spend the rest of your time installing your root certificates in everything (good luck with mobile devices, I have torn my hair out in the past with Sony-Ericsson; Oh, you have to drag the specially-named-file-in exactly-the-right-encoding onto the HIDDEN node in the PC-suite-file-explorer-horror-window, of course. HOW OBVIOUS.)

[gravitronic]

Can you elaborate why you've spent the considerable time to do this? Do you habitually travel / connect to completely nefarious networks?

[jrabone]

Much for the same reasons I run my own mail server - because I can, I learned something doing it, it gives me more control than I'd otherwise have. I also don't trust any network with plain-text credentials so TLS was a requirement for mobile email.

IronKey was something I already used, so it was natural to try and build a minimal CA that fit on it.

Given the choice I'd prefer a good VPN solution but the aforementioned pre-smartphones simply couldn't do that and SSL VPNs weren't common, so TLS was what we had. Now, that little CA primarily gets used for generating Xauth-RSA certificates for my IPSEC VPNs...

[newman314]

Any chance you could release a scrubbed setup or a blog post?

I'm looking at doing this and rather not have to slog through the nuances if possible. (I deal with certain on a sufficiently infrequent basis that I have to actively try to figure the steps again. One of the frustrating things of having to deal with cryptic options)

[gravitronic]

neat, thanks for the followup!

[jcase]

Actually, I've thought about starting a "real" CA (read: get certified etc). I'm not sure the world needs another one though.

Your experience running a homebrew setup is exactly why I think CAs will continue to exist—even if self-signed certs would be widely supported via DANE. I doubt many businesses are going to run their own CA in order to save < $1000 a year.

[raylu]

So did Honest Achmed, but he got shut down. https://bugzil.la/647959