Use a wildcard ssl cert to sign other certs

Question

Is it possible to use a wildcard SSL certificate to sign other certificates?

i.e. I have bought a root signed wildcard certificate for *.example.com

I want to allow a third party to provide a service for me, on thirdparty.example.com.

Is it possible for me to create a certificate for thirdparty.example.com and sign it using my *.example.com cert? Or do I have to buy a separate cert for the third party.

If this is not possible, is it possible to buy a domain-signing-cert? Just to be clear, I only want to sign certs for .example.com, not a root level (.com) signing cert.

Answer 1

No, you can't (although it is technically possible, but it won't work). Because certificate signing certificate must have two extensions with the following values:

1. Basic Constraints must be set to CA=True and be marked as critical
2. KeyUsages extension must have a keyCertSign and cRLSign bits enabled.

is it possible to buy a domain-signing-cert?

yes, it is possible, but it would be very expensive for you (if you don't plan to issue a large number of certificates). Because you will have to pay a huge price for this service, buy required hardware (HSM is mandatory), write documentation (CPS at a minumum) and process external audits to verify whether you comply with provider's CPS (certificate practice statement). Several time ago I wrote an article about root certificate signing: Certification Authority Root Signing.

HTH