How do you issue trusted self signed certificates?

Which CA shop provides a product that allows you to sign your own SSL certificates? (say named to a sub-domain) Are there any viable alternatives?

Additional Information:

We are deploying a product with a secure web interface to a sizeable number of installations at various clients' locations. Client users will be accessing their portals from any normal web browser. Since replacing/renewing these certificates in the filed is not feasible, long expiry dates of decade or longer is ideal.

Possible options (and cons):
- Use self signed certificates (users will see a browser error/warning) - Use Wild-card or maybe multi-cn certificates. (less secure since the PK is shared between non-trusting clients) - Become a chained certificate authority and sign certificates (expensive) - buy individual/bulk certificates for every installation (expensive, and cumbersome)


Solution 1:

It depends on what you are asking for exactly. If you want the ability to create and revoke your own certs that are trusted by browsers (that is, from an established CA) then you should look for a provider that gives you managed PKI access. I know that both Thawte and Verisign provide this.

If you want to create certififcates for others to use that are chained to a trusted CA, there are some providers that do this, but it costs a LOT.

If, on the other hand, you want to create certs for your own internal use and want to create your own CA that you import into your browser manually, you can accomplish this using just OpenSSL.

Solution 2:

You'll be interested in this discussion I had a few months back on ServerFault. In a few short words, it's not something you're going to want to get into unless you have a lot of time and money to pursue the type of solution Zypher mentioned in Alex's answer.

Of course, depending on your application, you may be able to become your own CA and distribute that cert to your users (basically install and "trust" it in their systems), which you can then use to sign other certificates that your users will trust (because of the chain-of-trust).

Read the other question and answers for more details.

Additional Info About UCC/SAN Certificates

IceMage pointed answered my question about a workaround for a situation similar to yours. These UCC certificates are pretty neat and handled my needs, but they did require a little additional work. That thread specifically discusses CACert, but I ended up buying what I needed from GoDaddy. I hope this info helps you out.

Solution 3:

I don't think you can sign your own certs even for a subdomain without going through a long and expensive process to become a root certificate authority. A cert is trusted because it comes from an authority that is listed in your web browser.

These are the certificate authorities included in Firefox- http://www.mozilla.org/projects/security/certs/included/