alt Hacker NewsUnfortunately the CA/B Forum has high requirements for constrained subordinate CA certificates[1], which to me sounds a lot like regulatory capture.
[1] https://community.letsencrypt.org/t/sub-ca-with-wildcard-cer...
Unfortunately the CA/B Forum has high requirements for constrained subordinate CA certificates[1], which to me sounds a lot like regulatory capture.
[1] https://community.letsencrypt.org/t/sub-ca-with-wildcard-cer...
It's not that high of a requirement. The sub-CA is allowed to self audit. But the original CA does have to check a percentage of certificates issued by the sub-CA.
So that's not going to be free. But it might be possible to do it if you were big enough to pay for it. I have dreams of having my private CA also signed off on by webpki so apps and browsers could use the same servers without having to include webpki in my apps.
Not that I really work on such things anymore.