Ask HN: Where do you get CA validated “Client Certificates”?
A 3rd party API we're hoping to work with need a Client Certificate for authentication of our backend servers. However, contrary to (as I understand it) the general practice of using self signed certificates, they are asking for a certificate issued by a trusted CA.
I've gotten in touch with a few of the largest SSL certificate providers, and all but one of them has responded to my query so far.
The one that responded has quoted a price > USD 2K for what they call "PKI infrastructure" setup, and around $50 for each generated certificate. The $50 is fine, the $2K is too much IMHO.
Has anyone on HN dealt with such requirements before? If so, which certificate vendor did you end up using, and what was the approximate costing and general experience?
9 comments
[ 3.6 ms ] story [ 22.9 ms ] threadA local PKI is probably overkill. Do you intend to give every single coworker a certificate on their own smartcard? If not, PKI is most probably not needed.
https://github.com/OpenVPN/easy-rsa + two USB thumb drives in a safe (primary + backup) + one off-site in another safe.
Client certificates are kind of hard to ask a global PKI for, because you usually use some internal names, not public FQDNs...
Have you ever run into a similar situation?
Who's doing what, and which machine connects to the other one?
So... what they’re asking for isn’t actually anything fancy. Just go buy a normal certificate like you would for any other server (or get one for free from let’s encrypt).
In fact, if they want a cert that is signed by a CA that “works in browsers by default” it must be the case that what they’re looking for is a vanilla commercial “Web PKI” certificate. This must be true because the CA/Browser Forum requirements that commercial CAs are audited against stipulate that CAs are only allowed to sign vanilla certificates. They can’t sign anything fancier.
It sounds like what the vendor you talked to was trying to sell you was a commercial CA that they manage for you. In other words, your own root certificate authority. Those certificates would not be trusted by browsers by default. There’s no reason to pay for that — you could just run a CA yourself and do the same thing. In fact I contribute to an open source project[1] that does exactly that, if that’s what you end up needing.
[1] https://github.com/smallstep/certificates
We have a client certificate authentication in one of our projects. We hold the root CA key (self-signed), and this key is used to sign intermediate certificates, whose root private keys are held by our resellers. They issue client certificates, so we can easily find the reseller and end user.
With a public CA issueing client certificates, I wonder how you can authenticate clients at all, because any root CA can issue certificates now.
Or perhaps they are asking for S/MIME certificates?