Can I purchase a certificate for my domain that can sign other certificates for subdomains?

ssl-certificate

I have written a small program to run on a Windows computer that serves SSL/TLS web pages through port 443 to visiting web browsers. I want it to be easy for non-technical people to install and run this program. I have made it easy for them to create a self-signed certificate or a certificate signing request in the program, but I think they are going to struggle getting the CSR signed and connected to a domain name which points at their server. I want to reduce the technical difficulty of this process to a minimum.

Can I purchase an SSL certificate which can sign certificates for subdomains of my domain name? Something like customer1.mydomain.com, customer2.mydomain.com etc and then I could point my DNS subdomains at their servers and sign their certificates for them and automate the entire process. Or maybe this would be very expensive?

If not, apart from hosting all their web applications on my own server with a *.mydomain.com certificate, what is the simplest solution I can give them for setting up the SSL certificates and domain names?


StartCom has an Intermediate Certificate Authority program. According to the linked site the program is intended for those issuing 1,000 or more certificates and the average cost is around $2 per issued certificate.


The sad truth is that what you aim for is technically possible with the x.509 Name Constraint permittedSubtrees attribute as defined in RFC 2459 Section 4.2.1.11, but you hardly will find any CA willing to provide you with such a certificate.

Some will not do that due to the thought that selling you such a certificate once is not as good as selling you a lot of per-host-certificates many times.

Some will not due to self-incurred braindead regulatory requirements or requirements of external parties.

There is a very very sad story about the certificate chain of a large telecoms provider which has signed intermediate CAs for a national research network which in turn did issue CA certificates to Universities. While this does not sound very sad yet, the sadness starts as a brave man from the aforementioned telecoms provider tried to get the certificate and the trust chain included into Mozilla Firefox - it took 4 years of discussions, reviews, misunderstandings and even more discussions before it was finally included.

What you can purchase is mostly some "Managed Service" where you would use the CA's interfaces to create new certificates more or less at will. Of course, this typically will cost a lot of money beforehand and you likely will be additionally charged for every issued certificate.

Related

NRPE unable to read output, but why?
What replaces IIS SMTP server in Windows Server 2012
Is it necessary to burn-in RAM for server-class hardware?
Is IIS SFTP natively supported by Windows Server 2012 R2?
How to setup Apache NameVirtualHost on SSL?
Sendmail to local domain ignoring MX records (part 2)
MySQL slave replication reset with no Master Downtime (using MyISAM)
IIS 7.5 Redirect / URL Rewrite to mobile version of website
Email delivery management grievances
How do MyISAM and InnoDB Utilize HD Space?
How do I setup sshd to require both a private key and a password?
Keeping up with security [closed]