As somebody who audits CAs for purpose of them getting into trusted root list, this is what you have to do: a) Obtain WebTrust for certification authorities or ETSI 101 456 standard (+ EV guidelines from cabforum.org) b) Implement systems in line with one of these standards. Not cheap. HSM devices alone cost $10k & upwards. c) Get somebody who is trustworthy (think accountants or one of Big 4 auditor companies, i recommend KPMG as I work for them) and/or webtrust accredited auditors (who can certify) to audit you. First time you will almost fail, but if the auditor is an advisor, he'll help you through. Not a cheap thing to do either. d) Submit your application to microsoft trusted root list program, mozilla, opera and everybody else. MS has deadlines on march and september for submission e) Every 12 months, repeat audit. f) Ask yourself, do you really need it and get maybe some CA to cross sign you.
-- Konrads Smelkovs Applied IT sorcery. On Sat, May 29, 2010 at 5:08 AM, Patrick Patterson <ppatter...@carillon.ca>wrote: > > On 28-May-10, at 8:04 PM, Dallas Clement wrote: > > This is probably a dumb question, but if I wanted to be come the next >> Verisign of this world, how do I create a legitimate CA cert? I'd >> like to be able to create my own that passes verification without >> throwing errors, like "unknown CA". >> >> Well, the first thing that you do, is do things that build "Trust", or > the perception that you are trustworthy. Invest in hardware that will > protect the CA's keys. Build processes that protect those keys. Use > facilities that give the impression of trust (if you've ever been to > Verisign HQ for a key ceremony, you'll appreciate the amount of "theater" > that they do :). Then, document all of these in your "Certificate Policy" > and Certification Practice Statement, along with all of the ways that you go > about binding people or servers to their associated keys, and how you manage > all of your personnel and facilities that are used in the operation of the > CA, and issuance of certificates by that CA. When you cut your keys, do it > in the presence of an auditor, and according to a proper key ceremony > script. > > Once you have this, then get audited to prove that you are following your > certificate policy. Most of the browser vendors, to be included in their > "Trusted Roots" list, like to see a Webtrust audit. If you want to be > included in the list that can validate EVSSL certs, then you have to also > follow the guidelines of the CA/Browser forum. > > Most of the vendors, however, also have the caveat that in order to be > included in their list, you have to be a commercial entity that are issuing > certs to "John Q Public". If you only issue to people within a small, closed > community, then you'll have to talk pretty fast to get them to accept your > CA into their browser. > > That's it. If you need any help, give us a call :) > > --- > Patrick Patterson > President and Chief PKI Architect > Carillon Information Security Inc. > http://www.carillon.ca > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
