Yes, that's because browsers don't want to put security of hundreds of millions of users in the hands of any Joe Random that asks for it. Running a CA is expensive because they are held to very high standards. You need to have your root keys inside an HSM, you need to have multiple people on your board who can access those keys, you need to set policies for certificate issuance that meet the CA/B requirements, you need to run OCSP servers, you need to be audited by a third party to verify you're actually following all those rules, all those things take money so then you need billing and charging people money implies you need support. In future you may need to take part in the CT audit logging system as well.
Taking out any of these things and you'd be left with something that is significantly worse.
That's why it costs money to be a CA _that browsers trust_. Of course if you want to be a CA that doesn't care about browsers, that's like three lines of code at the command line.
This does not mean that the CA system is broken. There's a huge middle ground between "anyone can do it for free" and "totalitarian oligopoly". $1M to start a business is not that high compared to many other businesses.
Taking out any of these things and you'd be left with something that is significantly worse.
That's why it costs money to be a CA _that browsers trust_. Of course if you want to be a CA that doesn't care about browsers, that's like three lines of code at the command line.
This does not mean that the CA system is broken. There's a huge middle ground between "anyone can do it for free" and "totalitarian oligopoly". $1M to start a business is not that high compared to many other businesses.