How to become a trusted SSL Provider?

[CymraegWalesHosting]

Hi, im interested in selling SSL certificates, but i dont want to resell them, i'd like to sign them myself. What is out there to do this and how would i go about doing it?

Best,
Nathaniel

[e-Sensibility]

Definitely an interesting question. I would assume that your organization would have to jump through a lot of hoops. I look forward to seeing someone with more knowledge on the subject answer this.

[romes]

Yes, I am interested in this myself.

[dkitchen]

Anyone can create their own CA, infact it's quite a common process within larger organisations for securing internal websites, providing the basis of smartcard authentication, etc. The difficulty you will have is trying to get the industry key platform manufacturers (Microsoft, etc) to trust your CA.

For obvious security reasons there are only a small number of trusted CA's. To understand why it's so essential that CA's are heavily controlled you need to understand what certificates do - they don't just facilitate the encryption of websites/applications, they verify the identity of those websites/applications so that visitors know they are visiting the genuine website. If a CA's keys were exposed fake certificates could be generated (that would be trusted by every browser out there) and the security of pretty much every internet user would be put at risk as a result.

It's unlikely anyone on this forum is a big enough organisation to even contemplate the process. There are lots of hoops to jump through - you'll need heavily documented processes, a secure infrastructure, cash for third party audits, cash for major vendors you want to accept your CA, and most of all lots of time.

You'd need to be selling an exceptionally high number of certificates to make it financially viable.

[fwaggle]

I'm no expert, so please don't quote me on this, but I believe there's a substantial investment involved. In addition to some auditing that's allegedly required, I'm pretty sure you require some kind of bond/insurance as well to cover losses should your system fail to ensure the identity of someone you certify.

That's to become a root authority - I can't place a dollar value on what it would cost, but to give some idea the "chained" certificate that some SSL providers use, which I don't believe you can get any more, ran in the hundreds of thousands of dollars to get.

In short, my uneducated guess: multiply the paperwork of becoming a domain registrar by the yearly costs of getting an ARIN assignment, then multiply that by the costs of being able to drive in the USA without insurance legally and then add a couple zeros.

I'd love to see any docs anyone can turn up about the process, but I think it's out of most companies' reach.

[wolfdog]

Hi

Jumping thru hoops is an understatement. I believe its $70,000 for just the audit + $10,000 yearly to keep it up. Thats in addition to equipment and facilities. You also need employees to physically verify identifications sent to you.

Check out the company at www.StartSSL.com.

Read every page on that site and you will get a real education

As sophisticated as they are and as much money they have invested, they are in Firefox and Safari browsers but it looks like it will be a few more months until they are in Internet Explorer.

Either way, these guys are the best for SSL certs. $29.95 for identity verification and the certs are FREE. Otherwise they need to be renewed every 30 days.

Hope this helps

Wolfdog