Alternatives to a Trusted Root certificate

Tom O'Connor asked:

Given a SSL-protected site that was formerly whitelisted (Allow from x.x.x.x etc), and and a requirement from a customer to change the way authentication works, to use X.509 HTTPS Client verification.

The problem with this is that none of “the usual suspects” of SSL CAs have the ability to generate X.509 certificates without buying into the CA’s Managed PKI service.

I’ve only ever done this for internal clients only, so it’s easy enough to generate a self-signed CA, and drop the CA’s public certificate into the clients’ keychains. For external customers, it’s a bit less easy to do, and to convince them to do it.

So it seems that the options are :
Go down the route of a managed PKI service. – Apparently this is prohibitively expensive and would mean replacing the internal CA stuff too?


Get a CA to sign their root certificate.

Is that right? Has anyone done something similar before? Does anyone know a ballpark estimate for what a Trusted Root might cost?

This is not a shopping question.

My answer:

If the customer is willing to install client certificates in their users’ web browsers to access your site anyway, then using a self-signed CA really isn’t that much of an issue, since you can just throw in that certificate as well while you’re at it.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.