Can I be an intermediate certificate authority?

My company has grown to the point where we're interested in being an intermediate CA for our customers, and would like to issue certificates to customers. Among other uses, we wish to issue SSL certificates that are trusted by the average web surfer's browser.

My question is quite similar to this one, but I'm skeptical of the "You don't" answer. You must be able to, given the time and money -- others do it. We have both, and would like to know how to proceed.


If you are willing to pay enough, a CA will sell you a self-service infrastructure where you will be able to sign your csr's yourself without any checking by them. You will still have to pay per cert, probably the same as everyone else.

see i.e. http://www.verisign.com/ssl/buy-ssl-certificates/managed-pki/index.html

I guess all other CAs have something similar.

Good luck with becoming a CA included in common browsers, see what happened to cacert.org: https://bugzilla.mozilla.org/show_bug.cgi?id=215243


Basically you have to convince one of the existing CA that they can trust you not give out bad certificates.

You probably going to need to directly contact a few of the CAs and ask. I don't believe this is a common enough request that you are going to find lots of information.

A more likely scenario is that existing CAs might will want to offer you a reseller arrangement where you forward the requests to them.