[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


SSL/TLS Certificates issued directly off the Publicly Trusted Root CA

Published on
4,621 Points
2 Endorsements
Last Modified:
There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html and in the comments someone asked if there are any Public Certificate Authorities (CA) that issue directly off the Root CA Certificate. The response was:

"There are plenty... 

Digicert, Verisign, Thawte, Comodo, to name a few."
This is incorrect, Public CA's are required to follow strict rules set in place by the CA Browser Forums and the Root Deployment programs of developers (e.g. Microsoft, Firefox or Apple).

CA Browser Forum: https://cabforum.org/baseline-requirements-documents/
Microsoft: http://technet.microsoft.com/en-us/library/cc751157.aspx
Apple: https://www.apple.com/certificateauthority/ca_program.html
Mozilla: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

Lets start off by Defining what a Public Certificate Authority is:

The CA Browser Forum defines a Public CA as "Public Certificate Authorities are companies or government agencies that have been authorized by browsers to issue SSL and code signing certificates. These organizations must undergo annual audits by third parties in order to insure they are following rules regarding the proper vetting, issuance and revocation of certificates. Certificates issued by companies that have not been approved by browsers will display a warning [Rick: will cause a warning to be displayed] when consumers browse to a page secured by that certificate."

- CA Browser Forum - Information for the Public- https://cabforum.org/info-for-consumers/ - 08/08/2014

Now that we understand that Public CA's must follow guidelines we can move onto the Chain Certificate, also know as the Intermediate Certificate or an issuing CA.

The Chain Certificate is a certificate issued off of the Root Certificate and is used to issue the publicly trusted certificates that are provided the users and organizations that have requested certificates from the Public CA's, This allows contorl over certificate policies as there different types of certificates and verification types (e.g. DV, OV and EV... that is a whole different story). All Public CA's are requried to issue public trusted certificates off of a Chain Certificate and is a manditory requirement by the CA Borwser Forums and has been this way for some time now (2009 or 2010 I think)

So how can you work around the Asker's issue in the question I mentioned at the beginning of this post?

You can look into mobile appliances that will allow you to push or authenticate users that are not part of the domain a profile containing a certificate or the credentials needed to access the wireless network

Device certificate are another option, but the users would need to have access to a web page first. Entrust offers Device certificates off a non-trusted root certificate, even though they are a trusted CA. The user would click on a link and submit their information, a notification is sent to the system admin for approval and the requester is then sent a download which will download the Root, Chain and Public cert issued to them and allow them to authenticate on the network.

Entrust Device Certificates: http://www.entrust.net/mobile-devices/index.htm

Another option would be to issue your own certificates off an internal CA where you do not have to follow the guides lines of Baseline Requirments but you still have the same issue where the user is prompted to trust the certificates, unless they are on the domain, in that case you can push out the certificates.
Author:Rob Lauzon
1 Comment

Administrative Comment

by:Eric AKA Netminder

Congratulations; your article has now been published.

Page Editor

Featured Post

OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Join & Write a Comment

If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month