Intermediate CA with letsencrypt root

[LecrisUT]

I am fairly new to pki and acme so I want to ask some question:

1. Is it possible to setup a private acme server with the root CA from another public acme server, i.e. create certificates that are publicly trusted, but managed locally?
2. How do you setup a client certificate which is both publically and locally signed? For example I have control of example.com and I can use certbot to publicly authenticate my domain. How do I create client certificates for email user for example, using the same domain and make sure ransom people with let's ecrypt can't do the same

[tashian]

Hi @LecrisUT, thanks for the questions.

1. It is not possible to do this, because publicly trusted CAs only issue leaf certificates, they don't issue intermediates.

2. A certificate can only be signed by one signing key. So, instead, you probably want public certificates for public endpoints, and private certificates for private endpoints that your users use. The example.com website might have a let's encrypt certificate, but the email users of example.com could use privately-issued certificates for authentication to the SMTP server.

Random people can't use Let's Encrypt to make arbitrary certificates. You have to prove domain ownership by answering a challenge request—which is part of what certbot does.

Does this help?

[LecrisUT]

Yes, this clarified my concerns. From what I understand with client certificates, anyone can request one, which is the issue if I would use Let's Encrypt for email certificate.

Given that, is it possible to use step-ca to create client certificates for this usecase? How can I limit the client certificate creation to only those with email account already created?

[tashian]

From what I understand with client certificates, anyone can request one, which is the issue if I would use Let's Encrypt for email certificate.

Can you tell me a bit more about your use case?

I assume by "email certificate", you mean a certificate used to encrypt email with S/MIME. You can't get that kind of certificate from Let's Encrypt—they only offer website TLS certificates. So, you could use Let's Encrypt to secure an SMTP server using SMTPS, but not to encrypt individual email messages.

I believe step-ca could be set up to generate email encryption certificates, but we haven't created a certificate profile for S/MIME. If S/MIME requires any metadata that wouldn't be part of a vanilla X.509 user certificate (eg. custom extensions), then you will have to roll your own certificate template for step-ca. (See this blog post for more info on that.) Also, your email clients—both senders and recipients—will need to trust your internal CA. If that's not feasible, then you'll probably need publicly trusted S/MIME certs.

Given that, is it possible to use step-ca to create client certificates for this usecase? How can I limit the client certificate creation to only those with email account already created?

Sure. The OpenID Connect provisioner allows step-ca to trust your identity provider and issue certificates for users through that, via single sign-on. You may need to create a custom X.509 template for S/MIME though.

[LecrisUT]

Sorry for the confusion. With email certificate I meant client certificate used to identify users, so the same as any client certificate for websites. For that I think I only need to setup the email account in CN, which I hope it's the case with step ca certificate [email protected].

I believe the oauth approach is what I need. Can this be implemented in caddy's acme_server or do I need to compile myself a separate step-ca?

[tashian]

I would suggest running step-ca outside of the Caddyverse for that.