Reader Remek Kocz says:
First of all, thanks for writing Secure Messaging. I’ve been doing a lot of research on Exchange 2K security recently, and your book pretty much filled in all the gaps. The reason I’m writing you is that I have not been able to find an answer to what I thought was a simple question (Usenet wasn’t much help, surprisingly). I’ve been tasked to secure our OWA servers w/SSL, and the issue of certificates came up. Is it possible to obtain a cert from a trusted authority like Verisign and then issue self-issued certificates with a path back to the Verisign one? Being a school district, albeit a large one, we need to look out for every dollar, so I wondered if it would be possible to combine the self-issuing CA &a commercial one. A pure self-issuing CA is not feasible for us, since many people travel without laptops, and there is no way of knowing how they’ll access the OWA servers.
This is a classic case for use of a subordinate CA: you want to create a CA that issues certs to end entities (in this case, your OWA servers; it might equally be used to issue certs to users), and you want that CA’s cert to be issued by a well-known commercial CA. You might think that Verisign, Thawte, and other commercial certificate vendors would provide this as a service, but as far as I can tell, they don’t. Why? Their preference is for you to use them as an issuer, offloading all CA work to them (and, incidentally, paying a per-certificate, per-year fee!) For the specific case you have in mind, Verisign offers their managed PKI service: they issue the certs, and you manage the issuance and revocation process via a web-based admin tool…but you don’t run your own CA. Section 3.1.1 of Verisign’s certification practices statement talks about the process of registering as a non-Verisign sub CA, but I can’t find where you actually do that on their web site. I’ll post more details if I can find a better answer.
Update: BeTrusted‘s OmniRoot service does exactly what you want. Thanks to David Cross for the tip.
Paul's Down-Home Page 