First of all, sorry, but I'm just getting started with certificate-based
security, and I may not understand all the concepts yet. Here's my
question: can one obtain a root certificate from a commercial authority like
Verisign and then self-issue certificates that would point back to the
commercial cert in the certification chain? Is such a hybrid possible?
This is solely for SSL purposes.

In article <c6trlf$28n$1@news.f.de.plusline.net>, "Lord Amoeba"
<lordamoeba@hotmail.com> wrote:
You can obtain a CA certificate from Verisign, but I think you'll find it
costs a lot of money.

A root CA certificate is simply a CA certificate that is installed directly
at the host computer as a "trusted root", rather than one that has to refer
up a chain to another CA that is a trusted root.

To get a root CA into Windows, you'd need to contact Microsoft and spend
some time and money convincing them that your CA is going to be acceptably
run, so that they can add you to the next round of Internet Explorer
updates.

It sounds like you are just looking for a CA certificate from Verisign (or
some other CA).

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | alun@texis.com.
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

"Lord Amoeba" <lordamoeba@hotmail.com> wrote in message
news:c6trlf$28n$1@news.f.de.plusline.net...
Out of interest, why would you want to do this?
If you are just working in a small community then you don't need a 3rd party
root CA to vouch for you.
The people know you, they know each other, they trust the certificates.

If you are working in a medium to large organisation and only using the
certificates internally, then again you don't need any external body to
vouch for your certificates. Your organisation issued them and you know that
they are good (or as good as your security model for the CA).

If you wish to run a secure CA which will issue globally trusted
certificates to a group of users who will use them to vouch for themselves
in the outside world (i.e. where the other party to the
communication/interaction may not know your company/group, and/or trust them
to securely vouch for the identity of the certificate holder) then what you
describe above is exactly what you do - you set up a CA with a root
certificate signed by a Trusted Third Party [TTP].
Everyone trusts this third party (e.g. Verisign, Thawte) so by association
they also trust you and believe your certificates.
So far so good - but if you do bad things, like issuing inaccurate
certificates to people unknown to you and not checked by you, then this
reflects on the reputation of the TTP.
Mindful of that, a TTP will not just sell you a root certificate.
They will also expect evidence that you can be trusted to manage this in a
secure manner.
Often this is done via a vendor of PKI infrastructure who will sell you the
kit and audit your installation and methods.
As suggested already in another response, this doesn't come cheap.

So yes, you can buy a root certificate then issue your own certificates
signed by this root certificate.
However this isn't a cheap option.
Nor is it simple.

HTH
Dave R