image provider

El Cheapo Certificate Authority

The CurrCon Java Applet displays prices on this web page converted with today’s exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees… CurrCon requires an up-to-date browser and Java version 1.8, preferably 1.8.0_112. If you can’t see the prices in your local currency, Troubleshoot. Use Firefox for best results.


This essay does not describe an existing computer program, just one that should exist. This essay is about a suggested student project in Java programming. This essay gives a rough overview of how it might work. I have no source, object, specifications, file layouts or anything else useful to implementing this project. Everything I have prepared to help you is right here.

This project outline is not like the artificial, tidy little problems you are spoon-fed in school, when all the facts you need are included, nothing extraneous is mentioned, the answer is fully specified, along with hints to nudge you toward a single expected canonical solution. This project is much more like the real world of messy problems where it is up to you to fully the define the end point, or a series of ever more difficult versions of this project and research the information yourself to solve them.

Everything I have to say to help you with this project is written below. I am not prepared to help you implement it; or give you any additional materials. I have too many other projects of my own.

Though I am a programmer by profession, I don’t do people’s homework for them. That just robs them of an education.

You have my full permission to implement this project in any way you please and to keep all the profits from your endeavour.

Please do not email me about this project without reading the disclaimer above.

The Opportunity

This project is not just about creating computer code. It is about setting up a small business. Small developers cannot afford the  $400.00 USD that Verisign charges each year for a code-signing certificate. Even Thawte charges  $230.00 USD . Yet home-made, self-signed/phony certificates are almost worthless from the point of view of preventing tampering and validating authorship. What the world needs is a company that issues cheap code signing certificates. I have dubbed this mythical company El Cheapo Certificate Authority. It will issue cheap Java code signing certificates, for say  $20.00 USD per year.

The technical aspects are not really all that difficult. Java comes with the tools you need such as keytool.exe and the JCE library.

The tricky parts of the project are financial and political, not the coding.

  1. How do you produce certificates for 1/10 the cost of the competition?
  2. How do you get your root certificate into Oracle’s list of trusted Authorities, so that the certificates you issue will be accepted as valid?
Most of your work will be writing and rewriting instructions to your applicant that explain what to do and what is happening, in clear, easy-to-understand, unambiguous languages. The idea is to create a totally automated system that does not require human assistance to the customers.

Making Certificates Cheaply

First, understand creating a certificate costs almost nothing. All you need is a computer program that you type the name and expiry date into, and second or two of CPU (Central Processing Unit) time. What costs is the research to vouch for the information you are signing. When Thawte does it, they want to see all sorts of business documents, your passport etc. They check up on you to make sure you really are who you claim to be.

The secret is 100% automation of the verification process, except perhaps for a last minute check you are not selling a certificate to your arch enemy. The verification is not as strong as Thawte and Verisign guarantee.

I propose using a fully-automated verification system that piggybacks on the existing PGP (Pretty Good Privacy) digital signature system. Here is how the automated verification and certificate-issuing works.

  1. The applicant reads the instructions for creating a certificate request on El Cheapo’s website.
  2. The applicant creates a private/public key pair, in the same way as if he were applying for a certificate from Thawte, perhaps using keytool.exe
  3. The applicant exports an ASCII-armoured certificate request file. This contains the public, but not the private key.
  4. The applicant sends a PGP-encrypted and signed email (perhaps created by El Cheapo’s Servlet) to El-Cheapo giving the name of the applicant’s website, or subdomain. They attach a copy of the certificate request. This and all subsequent emails in both directions are PGP-signed and encrypted.
  5. El Cheapo’s computer then sends back a digitally signed and PGP-encrypted email. The email includes instructions on what to do next.
  6. The email from El-Cheapo includes a verification URL (Uniform Resource Locator). The applicant clicks it to verify they got the email. This proves the client really does own the email address claimed.
  7. The email from El-Cheapo also includes a file with a peculiar and unique name. The applicant uploads this file to the root of his website or website domain. Anyone has right to upload to but not to its root.
  8. El Cheapo, within a few days, checks and rechecks the applicant’s website for the presence of this file.
  9. If it does not find it, it sends back an email explaining the problem and gives the applicant a few more days to get it right.
  10. If El Cheapo detects the file on the website, it now knows the applicant has FTP (File Transfer Protocol) upload rights to that domain and can be considered a sort of owner.
  11. El Cheapo can look up the DNS (Domain Name Service) records to find the owner, city, state, country of the domain, (however, not necessarily the subdomain).
  12. El Cheapo can only issue certificates for information it can verify. If the certificate contains extra information El Cheapo must reject the application and send an email to apologise and explain how to proceed.
  13. El Cheapo then signs the certificate request with its signing key and sends an email saying the application has been approved and the completed certificate is ready to pick up as soon as payment is received.
  14. The applicant pays in some way and El Cheapo’s computer is notified that it is ok to release the signed public certificate.
  15. El Cheapo sends the applicant the completed certificate as an attachment via email back to the recipient along with an URL where it can alternatively be picked up and installed with a web browser. The completed certificate is public knowledge. It does not matter who sees it.
At any time the applicant can login to the El Cheapo website to check on the status of his request or to get instruction on what to do next.

Note that El Cheapo has no knowledge of any applicant’s private keys.

It cannot verify names and city/states except for the root domain and then it is trusting DNS records. It is just verifying email address and website name. It cannot verify the name of the certificate owner the way Thawte and Verisign can.

You must be extremely careful that no one ever gets hold of your master private keys. They must be stored on a totally isolated computer. If they were compromised, every certificate you ever issued would also be compromised.

Unlike the big certificate companies, you would not offer insurance to cover the massive damage you could cause by a slip.

Selling Oracle

Before you start, approach Oracle or some of the programmers who work there who understand why El Cheapo is needed to make Applets and Java Web Start fly properly. See if you can get a commitment from Oracle to include your root certificate in their official list of certificate authorities.

You need a somewhat flaky name for the company, not quite as cheesy as El Cheapo though, to make it clear your certificates are of lesser quality than Thawte/Verisign’s, not just cheaper, e.g. Almost Free Certificates, ABC Certificates, No-name Certificates, House Brand Certificates, House Wine Certificates Yellow Box Certificates, Al’s Certificates, Acme Certificates, Ace Certificates, Bargain Basement Certificates, Generic Certificates, Just Plain Certificates, No Frills Certificates

or go ridiculously pompous; Universal Certificates, Intergalactic Certificates, My Planet Certificates

or hip, Down Low Certificates, Green Dog Certificates, GoBrother Certificates

or just a bit looney Off Broadway Certificates, Certificate Seconds, Goodwill Certificates, The Vouchers, Mother’s Certificates

The key is to pick a name that does not suggest big business as your target market. On the other hand, it can’t be so unappealing that you scare off your customers and the end users. Think hard about it. Test your candidates on people to see how they like them and would they actually accept code vouched for by such a company. Also check out the availability of matching domain names.

Oracle does not want to get the backs up of the big name certificate authorities. You want to reassure Oracle/Thawte/Verisign why your project will help them all make more money in the long run if they co-operate or leave you alone rather than if they manage to squash you. Point out that successful small software developers will later migrate to a more prestigious certificate. Without the training wheels of El Cheapo, applicants might never graduate to that. Point out that you will be training applicants in the basic procedures, making later sales to Thawte/Verisign go more smoothly with less labour costs.

Let’s say Oracle refuses. Your fallback position is to get ASP (Association of Shareware Professionals) to either front El-Cheapo or at least post their root certificates on their website. There needs to be a way of reassuring the end user that El-Cheapo is a real Certificate Authority, not something invented by hackers for nefarious purposes.

You just might get the backing of Verisign/Thawte by promising to sell out to them for $X in the event you start to cut seriously into their business. They invest nothing and stand to gain whole new generation of customers.

Let’s say Oracle still refuses. Your fallback position is to offer a service that updates root certificates for all major certificate authorities, including of course, El Cheapo.

root certificate installer

Let’s say that’s too much work, or the other CAs (Certificate Authorities) insist you not do that.

Offer the root update service via a program you download or a JWS (Java Web Start) app not officially associated with El Cheapo. It need not even embed the root certificates, a politically thorny issue. It can get them as needed direct from the CA (Certificate Authority) website master copies.

If they won’t let you do even that, then post instructions in many places on how to update root cerebrates for the major CA companies and include El-Cheapo as if it were their peer.

You can also give applicants some text to include on their websites to instruct users how to install El Cheapo root certificates in their Java so that your El-Cheapo certificate will function properly. The text paints El-Cheapo, certificate provider to the people, as the underdog pushed aside by the greedy corporate Thawte, Verisign and Oracle. Do everything you can the take business away from Thawte and Verisign rather than passing it on up to punish them for their bullying.

You would be more believable in your protestations you are not trying to put the big CAs out of business if you owned certificates from the major certificate signing authorities. You must always be upfront to everyone about why your certificates are cheaper, to explain what you have to give up when you use an El-Cheapo certificate.

If the competition unnerves you, consider selling the idea to a company already in the low-cost certificate business, usually SSL (Secure Sockets Layer) certificates, e.g. GoDaddy.


domain names
JWS: Java Web Start

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number