Ask HN: Where do you get CA validated “Client Certificates”?

1 points by asadjb ↗ HN
A 3rd party API we're hoping to work with need a Client Certificate for authentication of our backend servers. However, contrary to (as I understand it) the general practice of using self signed certificates, they are asking for a certificate issued by a trusted CA.

I've gotten in touch with a few of the largest SSL certificate providers, and all but one of them has responded to my query so far.

The one that responded has quoted a price > USD 2K for what they call "PKI infrastructure" setup, and around $50 for each generated certificate. The $50 is fine, the $2K is too much IMHO.

Has anyone on HN dealt with such requirements before? If so, which certificate vendor did you end up using, and what was the approximate costing and general experience?

9 comments

[ 3.6 ms ] story [ 22.9 ms ] thread
Depending on the criticity of your protected service, you could probably just be your own Certificate Authority, and publish the root certificate internally. How many machines are we talking about?

A local PKI is probably overkill. Do you intend to give every single coworker a certificate on their own smartcard? If not, PKI is most probably not needed.

https://github.com/OpenVPN/easy-rsa + two USB thumb drives in a safe (primary + backup) + one off-site in another safe.

Client certificates are kind of hard to ask a global PKI for, because you usually use some internal names, not public FQDNs...

I'd love to use my own CA, but the 3rd party that needs these certificates wants them issued by a trusted CA; essentially a CA trusted by the browsers by default.

Have you ever run into a similar situation?

Nope, this really is weird. Can't you add a root CA to the machine providing the service? e.g. https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_...
Unfortunately no. That's how I think client certificates are usually given; generated with a self signed CA, but this 3rd party API want's a pre-trusted CA, not a self signed one.
I still can't understand what's going on :(

Who's doing what, and which machine connects to the other one?

There’s nothing special about a “client certificate” —- they’re not (necessarilly) any different than a TLS server certificate. Technically a relying party might check that a client certificate includes the “client auth” key use, but most (all?) commercial certificates issued for TLS/HTTPS servers do this (I know Let’s Encrypt does).

So... what they’re asking for isn’t actually anything fancy. Just go buy a normal certificate like you would for any other server (or get one for free from let’s encrypt).

In fact, if they want a cert that is signed by a CA that “works in browsers by default” it must be the case that what they’re looking for is a vanilla commercial “Web PKI” certificate. This must be true because the CA/Browser Forum requirements that commercial CAs are audited against stipulate that CAs are only allowed to sign vanilla certificates. They can’t sign anything fancier.

It sounds like what the vendor you talked to was trying to sell you was a commercial CA that they manage for you. In other words, your own root certificate authority. Those certificates would not be trusted by browsers by default. There’s no reason to pay for that — you could just run a CA yourself and do the same thing. In fact I contribute to an open source project[1] that does exactly that, if that’s what you end up needing.

[1] https://github.com/smallstep/certificates

It's pretty weird for an API to ask for a client certificate.

We have a client certificate authentication in one of our projects. We hold the root CA key (self-signed), and this key is used to sign intermediate certificates, whose root private keys are held by our resellers. They issue client certificates, so we can easily find the reseller and end user.

With a public CA issueing client certificates, I wonder how you can authenticate clients at all, because any root CA can issue certificates now.

Or perhaps they are asking for S/MIME certificates?

Any reason you can't get a cert for those machines as if they were going to be https hosts, and use that?
(comment deleted)