Running a CA is not easy, and getting your root certificates included in trusted roots is even harder.
For the technical aspects of it, you will need an HSM for the root certificates generated, OCSP servers, a CRL mechanism, and the signing server. Many enterprises already run their own private CA, and there are plenty of free and open source software.
The difficult part is convincing root CA programs. Mozilla, Google, and Apple would be the start, but I suppose Curl/Java/Debian (which sync with Mozilla) will take some time to catch-up too. You need to be audited (by firms like KPMG and they don't come cheap), and they expect a certain level of transparency.
Why would you want to become a CA in the first place? Amazon and cpanel are root CAs that issue certificate for free. LetsEncrypt is free and issues certificates to everyone. I don't think there's any financial profit to be made anymore.
> The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money.
Well, they're more honest than any current certificate authority.
When using free providers, you will notice that the issued to -> organization field will be empty. Free providers do not compete with company validating trust authorities. They are just developer tools.
A CA is a CA. A developer tool would be you signing certificates with your own private CA. LetsEncrypt is often better as they support must-staple, CT timestamps in certificates themselves, and ECDSA leaf certificates support.
The snakeoil pitch would have worked 3-4 years back when browsers shows a big yellow label in address bar, but as of now, they all look the same regardless if its a DV, OV, or EV certificate unless you click your way through the certificate information.
1) You have no contact info in your profile.
2) As throwaway pointed out, this is an expensive task to undertake and, at least based on your post, it's not clear what you hope to gain from building another CA that's sufficiently trustworthy to be accepted into the Web PKI root stores. Beyond free certs (Let's Encrypt), your needs might also be satisfied by something like Digicert's Dedicated Intermediate program [1] where they will build and manage a "sub-CA" (subordinate CA) for you that chains up to their widely trusted roots. This allows you to control certificates issued under that sub-CA (as long your requests also fall within the baseline requirements) but saves you from the management and compliance overhead of a truly new CA.
What is it that you want to do, that you think you can do as a CA, but not as a customer/reseller of a CA?
In my experience as a CA customer, DigiCert is certainly expensive, but with that expense comes quite a bit of flexibility. Flexibility that might be able to meet your needs. Anyway, I would be amazed if the sub CA from Digicert program is more expensive than running a full blown CA, including the time and effort to get the CA into trust stores.
Plus, you're going to need to get a CA to sign your root / your intermediates while you wait for all the trust stores your customers care about to get updated; and by get updated, I really mean for your customers' customers to throw away their old devices. Your average Android device gets zero software updates, and lasts up to 7 years in your customers' customers hands, and who knows how many years behind upstream the manufacturer was when they built the thing.
I get the impression you may not be aware of the fairly unbounded levels of paranoia and suspicion that make up the bulk of public (personal and corporate) opinion about CA trustworthiness.
You very obviously have a motivation and agenda to post here, and for the sake of simplicity I trust that this is benign. But not actually documenting that rationale, let alone adding some reassuring arguments, kind of comes across to me as Step #1 in How To Successfully Not Succeed At Being A CA.
There are some nontrivial technical aspects which will be required if you want any certificate stores (browsers, operating systems, etc) to take you seriously.
Running `openssl ca` a few times won't cut it. You'll need a honest-to-god HSM to store your root keys in, a witnessed procedure for generating those keys, and some ironclad policies on access to those keys. This isn't something you can half-ass and fix later; if there's any doubt about who might have access to the root keys, the CA will never be trusted.
You might start using software like PrimeKey Ejbca (Enterprise Edition), Microsoft Server 2019 with Certification Authority or some wrappers around openssl that are available online.
However, the journey of CertSimple may be marginally relevant to what you're proposing.
They were a small CA focusing entirely on the easy issuance of Extended Validation certs.
Disregarding the fact that EV never actually had any proven value (except for some code signing use cases), they did have a nice little business.
As far as I know it was a one-person company at first, and they were able to piggyback off the infrastructure of an existing CA. I can't remember whether it was an intermediate cert or simply reselling.
I was going to link to them but they seem to have shut down or been absorbed into another company.
https://www.namecheap.com/resellers/ssl-certificates/how-it-...
Oh, and be prepared to spend tens or hundreds of thousands of dollars over the next few years while this process plays out and your CA certificate actually gets added to the root store in the various browsers.
---
[0]: https://www.mozilla.org/en-US/about/governance/policies/secu...
The code for what you want to do has been baked into Windows Server since 2008. It also exists in OpenSSL.
The CA part is easy. The “getting the world to trust your CA” is the part most would call “difficult”.
If you can do the latter, ALOT of people here can do the former, and you will likely succeed.
If you cannot do the latter, you will likely fail in the effort.
The difficulty then ramps up the more secure you want (or need) it to be.
