# Issuing certificates

## redgsturbo

Suppose I have a x509 cert issued from cacert.org to my server.  Now I want to issue client certs for my server, that can also be verified by cacert, such that my server cert is acting in the role of a CA.  How do I do that?  I'm fairly green to pki

----------

## vaguy02

I'm not a PKI expert, but based on a x509 cert issued to your server, you can't act as the CA, because the CA is actually cacert.org. They are the trusted third party, they would need to issue any client certs.

----------

## Hu

As far as I know, for a signature to be honored, the signing party needs to have its certificate marked as being a certificate authority.  This is not the only requirement, but it is the most relevant.  Most tools will enforce this at signing time.  It is unlikely that CACert will give you a certificate which is also an authority, since then anything you sign would be seen as endorsed by CACert.  Do you need your client certificates to be descended from CACert or do you just need your server to be the authority for such clients?  If the latter, you can give your server a web site certificate from CACert to prove itself to clients, and separately create your own certificate authority to issue client certificates.  This latter authority would not start out as trusted by anyone, but if it is only used for letting your server validate client certificates, I do not think this will be a problem.

----------

## cach0rr0

you might also look at going the route of:

http://www.disciplina.net/howto/HOWTO-openca.html

just be your own CA!

----------

## vaguy02

As long as your users will trust you being your own CA, then sure. But unless you add yourself to the trusted CA list on each computer going to your site, you will get the nasty "untrusted certificate" message on just about every browser out there.

----------

## cach0rr0

 *vaguy02 wrote:*   

> As long as your users will trust you being your own CA, then sure. But unless you add yourself to the trusted CA list on each computer going to your site, you will get the nasty "untrusted certificate" message on just about every browser out there.

 

aye, but you get the same using a cert from CACert.org

if people have going to have to install a root cert, might as well have them install your own, and at least gain the ability to sign other certs to be trusted by those users.

----------

## vaguy02

It depends if the browser already trusts CACert.org or not, if it doesn't, then your statement is true.

----------

## cach0rr0

indeed. unfortunately default with FF and IE (and even wget) is not to trust certs from CACert

I hit this same pitfall myself - easily fixed mind you, just had to install the root cert from CACert, but i figure if youre going to get the errors requiring addition of a new root CA trust anyway, might as well have folks trust your own CA.

----------

## vaguy02

Personally, I feel that there should be a free CA organization that provides trusted certificates for servers and browsers, because security is everyones responsiblity. But I doubt it will ever happen that way.

----------

## cach0rr0

agreed. funny thing is, their logic is basically that if someone can afford to pay for a certificate, theyre a legitimate business. 

cyber-criminals have money for that sort of thing. joe techie at home does not. 

granted, yes, legit businesses do as well, but that a)restricts certs to those who can fork over the cash, b)gives people a false sense of security, since a criminal can snag a verisign cert just as easily as a legit business can

oh well. that's why i dont force https within apache - standard http pages put you at a landing page that explains how to install the cert, why you need to install the cert, etc

----------

