My organization is preparing to purchase some 50 \"units\" from Symantec, with w

Question

My organization is preparing to purchase some 50 "units" from Symantec, with which we can purchase Verisign SSL certificates of varying authentication levels. Our organization does not have--but definitely would like--the ability to send digitally signed e-mail to external business partners and clients, and use the same certificate to encrypt e-mail among other members of the organization.

My question is this: Suppose we were to purchase one SSL certificate from Verisign--this certificate would be an intermediate of the root CA. But our organization could then use this for a Global PKI mail server (Say, SecureMail.OurCompany.com) for the purpose of issuing end user (leaf) certificates.

Is this possible (does it even make sense)? Could we use the Verisign-issued certificate to then issue end user (leaf) certificates to incorporate into the company e-mail (MS Exchange) system? How would this be done? What software would one use to do issue end-user certificates this way?

Explanation / Answer

You don't issue certificates with an SSL certificate -- you issue certificates with an intermediate CA certificate. That's a different beast; namely, contrary to what is colloquially known as "an SSL certificate", an intermediate CA certificate is granted CA power by virtue of including a Basic Constraints extension with the cA flag set to TRUE. Presence of that flag is checked by software which validates certificates. You could, technically, sign certificates with your SSL private keys, but nobody would accept these certificates as valid.

Verisign or any other commercial CA will sell you an intermediate CA certificate only under some rather strict conditions: it will cost you a lot of money, and you will have to demonstrate that you can be entrusted with the power to issue certificates. Indeed, once you have that intermediate CA certificate, nothing technically prevents you from then forging fake certificates for google.com or microsoft.com that would be accepted silently by all Web browsers worldwide. Therefore, Verisign will want to ensure that you have procedures to avoid such shenanigans; in particular, strong physical security for the private key storage, dual control for all administrative operations, insurances, strict revocation procedures, and so on.

While you have the right logic (indeed, it is just a matter of having some "certificate issuing software", which can be as simple as some OpenSSL scripts), you underestimate the costs. If you want to operate your own CA (that's what you are actually talking about), then you will need to do it "properly", that is, with means which are proportionate to the required level of security and quality assurance. You will need to hire a PKI specialist. The cost will far exceed that of buying 50 end-entity certificates every year.

Related Questions

Navigate

• Browse (All)
• Browse M
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.