Getting an intermediate SSL certificate

Is it possible to buy an intermediate certificate to use it to sign subdomain certificates? It has to be recognised by browsers and I can't use a wildcard certificate.

The search turned up nothing so far. Is anyone issuing such certificates?


The problem is, that the currently used infrastructure and implementation does not support intermediate certificates which are limited to only some (sub)domains. This, in effect, means that you can use any intermediate certificate to sign any certificate you want and the browsers will trust it, even if this would be certificates for domains you don't own.

Thus, such intermediate certificates are only given to really trustworthy organizations, whatever this means (but lots of money is probably involved).


No, because it would be a violation of the original certificate - browsers would trust your certificates and you could start issuing stuff for google.com etc. - and if you do that smart, you would not be easy to get.

Intermediate Certificate Authorities have a lot of power. An intermediate CA is a certificate signing authority - that is trusted via the root certificate - and nothing in the specification allows limiting the subordinate CA.

As such, no reputable certificate organization is going to give one to you.


It is/was possible to buy a valid CA from GeoTrust.

I was not able to find the product on the English pages, but here is an archived version:

http://archive.is/q01DZ

To purchase GeoRoot you must meet the following minimum requirements:

  • Net worth of $5M or more
  • A minimum of $5M in Errors and Omissions insurance
  • Articles of Incorporation (or similar) and an incumbency certificate provided
  • A written and maintained Certificate Practice Statement (CPS)
  • A FIPS 140-2 Level 2 compliant device (GeoTrust has partnered with SafeNet, Inc.) for key generating and storing your root certificate keys
  • An approved CA product from Baltimore/Betrusted, Entrust, Microsoft, Netscape or RSA

The product is still available on their German page:

http://www.geotrust.com/de/enterprise-ssl-certificates/georoot/


(This is a new answer to an old question because I believe this helps understand that there is no "magic" behind certificates and CA)

As an extension of the approved answer given by @Steffen Ullrich

The entire certificate to identify websites thing is just a big money business. The X509 certificates are defined (amongst others) by RFC5280 and anyone can be a root CA or an intermediate CA, it all depends on the trust you have regarding that entity.

E.g.: If you are in an Active Directory domain, then your primary domain controller is a trusted root certification authority by default. Meanwhile, there are absolutely no other third-parties involved.

On the broad Internet, the issue is to identify "who you can trust" because it is much larger than just one company. And therefore, the browser vendors provide a custom arbitrary list of root CA that it will trust without prompting for your consent.

I.e.: If you have a very good relationship with the Mozilla foundation, then your own arbitrary self-signed root CA could be added to that list on the next release of their Firefox browser... Just because they decided it !

Moreover, there are no RFC that define the behavior and the rules on how browsers should behave regarding the certificates. This is an implied consensus that because the "CN" of the certificate is equal to the domain name, that it is supposed to be matching.

Because this was not sufficient at some point, browser vendors all implicitly ageed that a wildcard certitificate of the form *.domain.com would match any subdomain. But it matches only one level : no sub.sub.domain.com why is that ? Because they just decided so.

Now about your original question, what would prevent that your primary domain certificate be allowed to create sub-certificates for your own subdomains, that is an easy process for the browser to check, just getting the certificate chain.

The answer is : nothing

(except that technically you should have a "flag" in your own domain certificate to do it)

The broswers vendors, if they find this convenient enough, may decide to support it.

However, back to my first statement, this is big money business. So those few root CA that have agreements with the browser vendors are spending large amounts of money to appear in that list. And today, they get that money back because you have to pay for each individual subdomain certificate or get a wildcard which is much more expensive. If they allowed you to create your own subdomain certificates, this would tremendously cut their profit. So this is why as of today, you cannot do it.

Well, you still can, because it would strictly be valid x509 certificates, but not any browser would recognize it.