Looking for a recommendation on who to buy affordable and reputable SSL
certificates from? Symantec, Thawte, and Comodo are the names that come to
mind, just wondering if there are others folks use.
Thanks,
AlphaSSL is pretty solid, priced right too.
We typically stick with Network Solutions, and DigiCert for
SANcertificates. VeriSign's prices are just insane.
I've had good experience with Entrust. One thing to be careful with is some mobile devices (especially older Android ones) have limited root certificates. Network Solutions and Entrust work, some others, not so much. From my experience Android 2.3+ has most of the common root certs, but previous versions don't.
I wonder if someone has a list comparing root certificate support across platforms?
We have been using GoDaddy for quite some time as they offer good deals if you call them in and buy in bulk. Mind you we manage certs for about 50-100 customers as well. Haven't had any issues with them not being trusted on mobile devices except for old windows mobile 5 and early 6 devices.
From: Michael Carey [mailto:mcarey@kinber.org]
Sent: Friday, January 06, 2012 9:15 AM
To: nanog@nanog.org
Subject: SSL CertificatesLooking for a recommendation on who to buy affordable and reputable
SSL certificates from? Symantec, Thawte, and Comodo are the names
that come to mind, just wondering if there are others folks use.
startssl.com - free certs that work in apple-mail, chrome, ff, ie,
tbird, across mac/linux/windows... you can't beat free.
(you do have to update yearly, but it's not painful, and is probably
worth doing as practice anyway)
-chris
theSSLstore has good reseller pricing on a variety of certs.
~ $10 domain validated rapidssl certs in about 5 minutes.
More expensive and time consuming certs are available, Verisign, Geotrust, Thawte, greenbars, wildcards, etc..
Ken
i think their "free" certificates are for personal/individual use only,
and may not be as useful for company/business usage.
Almost everyone are basically just selling an "activation" with one of the SSL certificate authorities.
I usually buy a "RapidSSL" (Verisign) certificate from https://www.sslmatrix.com/ -- they seem to have some of the best prices and the rapidssl enrollment process is very efficient (at least for the cheap automatically "validated" products).
Ask
Almost everyone are basically just selling an "activation" with one of the SSL certificate authorities.
I usually buy a "RapidSSL" (Verisign) certificate from https://www.sslmatrix.com/ -- they seem to have some of the best
prices and the rapidssl enrollment process is very efficient (at least for the cheap automatically "validated"
products).
I get my RapidSSL and Comodo from these guys. Prices look about the same:
If you order a cert for example.com, Comodo's also work for www.example.com, no
extra charge.
R's,
John
The problem with anything related to Verisign at the moment is that
they either don't know or haven't come clean yet how far the hackers
got into their infrastructure over the last few years. The early
February 2012 announcements were woefully devoid of actual content.
The possibility of their root certs being compromised is nonzero.
There may be no problem; they also may be completely worthless. Until
there's full disclosure...
Comodo ever get "fixed" ??
/bill
The problem with anything related to Verisign at the moment is that
The possibility of their root certs being compromised is nonzero.
The possibility of _ANY_ CA's root certs having been compromised is non-zero.
There's no evidence published to indicate Verisign's CA key has been
compromised,
and it's highly unlikely.
Just as there's no evidence of other CAs' root certificate keys being
compromised.
There may be no problem; they also may be completely worthless. Until
there's full disclosure...
[snip]
They are not completely worthless until revoked, or distrusted by web browsers.
There is a risk that any CA issued SSL certificate signed by _any_ CA
may be worthless some time in the future, if the CA chosen is later
found to have issued sufficient quantities fraudulent certificates,
and sufficiently failed in their duties.
I suppose if you buy a SSL certificate, you should be looking for
your CA to have insurance to reimburse the cost of the certificate
should that happen, and an ironclad "refund" clause in the
agreement/contract under which a SSL cert is issued
E.g. A guarantee such that the CA will refund the complete
certification fee, or pay for the replacement of the SSL certificate
with a new valid certificate issued by another fully trusted CA,
and compensate for any tangible loss, resulting from the CA's
signing certificate being marked as untrusted by major browsers,
revoked, or removed from major browsers' trust list, due to any
failure on the CA's part or compromise of their systems, resulting in
loss of trust.
I suppose if you buy a SSL certificate, you should be looking for
your CA to have insurance to reimburse the cost of the certificate
should that happen, and an ironclad "refund" clause in the
agreement/contract under which a SSL cert is issued
These certs cost $9.00. You're not going to get much of an insurance policy at that price.
R's,
John
again, startssl.com - free. why pay? it's (as you say) not actually
buying you anything except random bits anyway... if you can get them
for free, why would you not do that?
In a message written on Thu, Feb 16, 2012 at 12:57:25AM -0600, Jimmy Hess wrote:
There is a risk that any CA issued SSL certificate signed by _any_ CA
may be worthless some time in the future, if the CA chosen is later
found to have issued sufficient quantities fraudulent certificates,
and sufficiently failed in their duties.
One thing I'm not clear about is, are there any protocol or
implementation limitations that require only one CA?
I would think I could take my private key and get multiple CA's to
sign it, then present all of those signatures to the client. Should
one CA be revoked, my certificate would still be signed by one or
more others.
Does this work? Does anyone do it?
These certs cost $9.00. You're not going to get much of an insurance policy
at that price.again, startssl.com - free. why pay? it's (as you say) not actually
buying you anything except random bits anyway... if you can get them
for free, why would you not do that?
The free ones are supposed to be used only for personal sites.
Also, the fact that they tell me to go away and use a different browser when I try to sign up using Chrome does not fill me with warm feelings.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Because they do not have a wildcard one for 'free', which is useful when
one wants to serve eg example.com but als www.example.com from the same
location along with other variants of the hostname. Except for that, it
is a rather great offer. Though one can of course just serve the
example.com one and force people after they accept to the main site.
I tend to stick CAcert ones on hosts and tell people to either just
accept that single cert and store it for future checks or just install
the CAcert root cert, that covers a lot of hosts in one go, given of
course that one trusts what CAcert is doing, but that goes for anything.
The method that Firefox is using with the unchained certificates "save
this unverified cert and as long as it is the same it is great" is in
that respect similar to SSH hostkeys, one can verify those offline and
just keep on using them as as long as that cert is the same you are
likely talking to the same host (ssl etc still don't cover compromised
hosts).
In the end, they are just bits, and this whole verification thing at the
verification of owner adds nothing except for an ease-of-use factor for
the non-techy folks on the Internet.
Greets,
Jeroen