Contents were taken from SubRoot page

Organisation Sub-Roots


Intro to Organisation Sub-Root Certificates

Question: I would like CAcert to sign my Sub-Root certificate so I can sign other certificates. Is this possible?

Answer: The short answer is no.

Because we are seeking inclusions in mainstream browsers we have been advised that this would not only complicate things, it might also potentially exclude us from ever being included.

This is because there are difficult questions. For example, whether we have control over who the 3rd party organisation is issuing certificates to, ensuring that organisation is sticking to the practices and policies, who has access to the private key, and so on and so forth.

At this point in time Sub-Roots are not planned, but are being researched for the future. Right now, it isn't something we are willing to risk after all the hard work people have put into working towards the goal of browser inclusion.

Answer: The longer answer is Maybe. This page discusses potential future ways to achieve this.

Organisation Assurance

If you are looking for an easier way to manage certificates within your organisation (a legally recognised entity) you should take a look at our OrganisationAssurance system: OrganisationEntities.

Automatic certificate issuing

If you are interested in automatic issueing of certificates, we already have the following options for you:

Note: these will need to be tied into the OAP and CPS.

Managed Intermediate Certificates

The so-called "Managed-Pki" solution is a system whereby a CA would issue an intermediate certificate to an organisation. This would enable the organisation to limit reliance-applications to the certificates that are issued by that intermediate certificate. what does that mean???

Under this proposal, CAcert would create a dedicated Intermediate certificate, and operate that intermediate certificate for the organisation. In order to issue end-entity certificates, the Intermediate certificate could be managed via the normal webinterface, and/or the CertApi. CAcert would provide a stable, automatic interface to issue certificates for the Intermediate CA.

As the CA operates the Intermediate CA, it also enforces the policy. It is an open question as to whether this would be the same policy as CAcert in general or whether there are variations possible.

In principle, this might mean that the Sub-CA would not be separately audited.

Constrained Sub-CA´s

If an organisation has high-availability demands for certificate issuing, or any other reasons that makes it necessary that you operate your own CA in-house, then there are 2 possible avenues:

Unconstrained Sub-CA

For unconstrained Sub-CA´s, CAcert will likely impose the same requirements it faces, including own policies and the Mozilla policies.

The cost of this programme might run to a few hundred thousand EUR/USD, and thus it will likely be more economic for the end-company to to get included into the browsers directly as a whole CA, instead of getting a unconstrained Sub-CA from CAcert.

Any Other Options?

If you have any specific needs that cannot be handled with the existing programs already available, please contact us.