Can I be my own trusted CA via an signed intermediate certificate?

Your question reads to me and to others as "How do I issue certificates to entities inside and outside of my organization that are trusted by arbitrary internet users?"

If that is your question than the answer is "You don't.". If it isn't, please clarify.

I also recommend reading "Windows Server 2008 PKI and Certificate Security by Brian Komar" and consider all of the various PKI scenarios for your applications. You don't need to use Microsoft's CA to get something out of the book.


A quick search shows that such things exist, but with the 'contact us for a quote' suggests it won't be cheap:

https://www.globalsign.com/en/certificate-authority-root-signing/

I make no claims about the company, but that page might give you terms to use to find other companies doing the same.