1st no public CA is going to issue you a CA-root cert, that is not feasible nor a option to buy just a rootCA-cert

Your rootCA is that "your" root certificate, you just trust that in the OS or Firefox browser as a trusted rootCA and be done.

Ken Felix

yeah but they do issue sub-ca certs Ken. Those can be used to sign certificates. The dark side is that this creates one more hop in certificate verification path that has to be covered :\

So who do you think is  issuing subCA certificates for resigning ?

I think for example you can not go to geotrust , entrust, comodo and just flat out order a subCA off any of the higher roots/intermediates that they have in the chain. 

The public CA is making money by the issuance of certificates. If they gave every tom dick or harry a subCA  upon request, than he or she could become a signer and reseller and sign like god..... 1 billion certificate under than chain ;)

That's not a offering that is offered to the general end-user.

btw I 've worked with two major well known public CAs over the course of the last 8 years.

Ken Felix

an intermediate to me is nothing else than a sub ca ;)

And intermediates are meanwhile common use for reselling. There meanwhile is a holy lot of smaller certificate sellers that issue certs based on intermediate. A win-win for the CA - they have two cannals for selling...

FGT SSL Deep Inspection e.g. needs a sub ca cert to work...

FGT SSL Deep Inspection e.g. needs a sub ca cert to work...

Your not even 100% correct here and providing mis-leading information or confusion.

I've done SSL inspection with both a single rootCA  or with a intermediate certificate ( aka subCA ) on fortigates and a host of other firewalls vendors fwiw. ( btw forcepoint NGFW seems not to work with intermediate from my experience and testing...keep that in mind if your doing a PoC or Bakeoff  between vendors and have a heavy dependence of SSLvpn or SSL inspection and deep-chain, the support/development teams knows about this but I highly doubt the sale teams explain this limitation with the CA-depth, &  yes this is me griping about this limitation ) 

in the SSL inspections, the certificate can be either a root-CA or intermediateCA certificate , the former is more ideal in the big organization, but I've seen various avenue and topology used by private-CA for SSL inspection.

Either way that you go , the chain has to be trusted by the end-user ( i.e OS , browser )

In most of the top orgs and fortune500s they using MicrosoftCA or generate it's own selfSignPKI infrastructure commonly by using openssl ( that's what I do ), when you go to a commercial CA for this, all they are doing is managing a "different chain" for you that is NOT the general public-chain that you see in the browser or the OS level. 

They are NOT going to just give you a rootCA for SSL inspection or resigning of intermediates fwiw. You can't  go as a individual and say I want you to give me a root-CA. Now if your a big business ( i.e fortune 500, mil,edu, NSA, etc...) they can build you  "your"  PKI-CA & can build you a PKI infrastructure and give you rights to issue example server certificates . I just did that recently with Entrust and Globalsign. They call this service typically a "custom-CA or custom-ICA ...IntermediateCertificateAuthority " . They manage a complete PKI down to OSCP and CRL.

But a generic user like you or me,  is NOT going to get that nor would it be cost effective to buy into that program or design as a generic end-user. We are talking about the TOP organizations or business ( i.e millions of dollars ). These organization are signing thousands of  CSR for various needs and reasons.

Keep this thought in mind , "all public CAs are really self-Signed" the only difference from your privateCA or let's say your  custom-ICA if you went that route, is yours is NOT a publicly known or recognized ;).

The public CAs are paying the OS and browser vendor ( i.e firefox ) to be installed as a trust component in that systems. Technically speaking probably 100K public_CAs exists  ( probably more ) but not all of them are in your window OS or Firefox browser as a accepted CA. 

And finally, just guessing probably 1million+ CA existing ( public and private sector ) again not all of them are pre-installed into your end OS device or browser ;)

Ken Felix