Use an ssl wildcard certificate to sign other certificates
Can I use a wildcard SSL certificate to sign other certificates?
i.e. I bought a wildcard root certificate for * .example.com
I want to allow a third party to provide me a service, on a third party .example.com.
Is it possible to create a certificate for thirdparty.example.com and sign it with my * .example.com certificate? Or I need to buy a separate certificate for a third party.
If this is not possible, can I buy a domain signing certificate? To be clear, I only want to sign certificates on .example.com and not on a root level (.com) certificate.
source to share
No, you cannot (although it is technically possible, it will not work). Since the certificate signing certificate must have two extensions with the following values:
- Major limits should be set to CA = True and marked as important
- The KeyUsages extension must contain the keyCertSign and cRLSign bits .
Can I buy a domain signing certificate?
yes it is possible, but it would be very expensive for you (unless you plan on issuing a large number of certificates). As you will have to pay a hefty price for this service, buy the necessary hardware (HSM is a must), write documentation (CPS per minute), and process external audits to verify that you are complying with the supplier's CPS (certificate of practice). Several times ago I wrote an article on Root Certificate Signing: Certificate Authority Root Signing .
NTN
source to share