Trusted Root Signing Certificates

Root signing certificates are certificates that you can use to sign other certificates that are linked up to a trusted root certificate. With a root signing certificate, you essentially become your own certificate authority and you can issue certificates that are trusted by all major browsers/clients.

Purpose of Root Signing Certificates

Root Signing CertificateMost organizations don’t need a root signing certificate. They can just get a few certificates signed by a certificate provider or manage large numbers of certificates using an Enterprise certificate management solution. So why would an organization get a root signing certificate? For flexibility when using certain applications such as Microsoft Certificate Services, Active Directory, or another inhouse CA. Normally, an organization using Microsoft Certificate Services would have to generate their own self-signed root certificate and then distribute it to every client in their organization. This can be a huge task and can be almost impossible for some large organizations. If you get a root signing certificate, you can create a root certificate that is already trusted in your organization’s clients and quickly sign other client and server certificates. You retain the ability to revoke a certificate whenever necessary and manage other certificate policies.

What is required to get a Root Signing Certificate?

Each certificate provider has different requirements for trusted root signing certificates. Most will require something similar to the following:

  • Substantial net worth and insurance
  • A Certification Practice Statement (CPS) outlining your exact policies on issuing and managing certificates.
  • A FIPS 140-2 Level 2 compliant device to generate and managing your root certificate keys.

Root Signing Certificate Providers

There are only a handful of root signing certificate providers available. Because the usage of root certificates are so varied, the costs will need to be obtained by contacting the certificate providers.

GeoTrust’s GeoRoot

GeoTrust’s GeoRoot is a very flexible solution for any Microsoft Certificate Services CA or inhouse CA. They offer fixed annual fees and seamless integration into Microsoft Active Directory and Certificate Server. They have very specific requirements but allow you to issue certificates for multiple years for organization-owned domains, and allow installation on unlimited servers.

Learn more about GeoTrust’s GeoCert Root Signing Certificate

GlobalSign’s Trusted Root CA Certificate

GlobalSign’s Trusted Root CA Certificate gives you a certificate with over 99% browser compatibility that can be used to issue SSL, SMIME certificates and code signing certificates. This allows Enterprises with large certificate needs to quickly issue and manage certificates across the entire organization.

Learn more about GlobalSign’s GeoCert Root Signing Certificate

Other Root Signing Options:

For more information about trusted root signing certificates, please contact the providers listed above.

Originally posted on Fri Apr 10, 2009

Save