X.509 Certs For Personal Use

Mailman List Mirror (Read Only)
1

On the heals of some of the most productive conversation I've seen on
NANOG in ages, let me try another topic!

I suspect most people on NANOG are in the same boat that I'm in, we
operate some small number of domains for ourselves, friends, family, and
projects we like. I suspect many of us are also security conscious and
would like to use encryption as often as possible.

Unfortunately to communicate with random folks on the Internet you need
an "SSL Certificate" signed by a "Trusted Root". Ok, we can argue about
that, but that's what I'm going to assume for my question. That could
be a cert for a web server, a mail server, a jabber server, or even a
personal e-mail certificate.

What I've found is a few classes of service:

- Totally free, but the Root CA is not well distributed (or other
  issues).

- Free for "one" (perhaps one web, one e-mail) on a well distributed CA,
  major upcharge for more.

- Services for businesses designed for maintaining multiple domains and
  certs starting at $high and ending at $crazy.

I am _not_ looking for a free only alternative, but I am looking for a
fee structure and price that makes _personal_ use economically workable.
I'd love to support community based efforts, but the reality is random
folks will be accessing my web site, sending me e-mail, etc, so I want
certs that are signed by root certs that ship with OSX/Windows/Linux,
they should "just validate". I also do not require "EV" certificates,
although being able to get one for an upcharge might be nice.

Are there any providers that target someone with my desires? What
providers do NANOG folks use for their _personal_ needs?

2

I use these guys: http://www.cheapssls.com/

They sell Geotrust and Comodo certs for under $10/yr. The hassle
level is quite low. First you order a cert providing the usual
billing info, then you go to their web site, pick the order you just
paid for, go to a screen where you paste in your signing request, and
pick which e-mail address to send the confirmation message to. Click
a URL in the confirmation message and the signed cert shows up in a
few minutes. The certs are chained, but I've had no acceptance
problems once I realized I had to to add an extra Apache config line
to serve the intermediate cert.

If you get a Comodo cert for example.com, it'll also work for
www.example.com. Other than that, they seem to be equivalent.

If you just want something for testing, http://freessl.com/ will
provide a real 30 day Geotrust cert for free, with similarly low
hassle. At the end of the 30 days, you can renew the cert into a paid
one at cheapssls or any other Geotrust reseller.

I realize there are places that will provide totally free certs, but
their hassle level is far greater. For $24 I can get a Comodo cert
that will make my SSL complaints go away for three years, which seems
like a bargain to me.

R's,
John

3

I use http://www.startssl.com/ for all my personal certifcates. I have
not had any issues with the validations (once you have an account you
can validate a domain by sending an email to a predefined list of
contact addresses) and the certificates are issued instantly.

4

toor (lists) writes:

I use http://www.startssl.com/ for all my personal certifcates. I have
not had any issues with the validations (once you have an account you
can validate a domain by sending an email to a predefined list of
contact addresses) and the certificates are issued instantly.

  "Your request is being held up for review by our personnel".
  
  Up to 6 hours. Must be their definition of instant :slight_smile:

  Cheers,
  Phil

5

toor (lists) writes:
> I use http://www.startssl.com/ for all my personal certifcates. I have
> not had any issues with the validations (once you have an account you
> can validate a domain by sending an email to a predefined list of
> contact addresses) and the certificates are issued instantly.

  "Your request is being held up for review by our personnel".
  
  Up to 6 hours. Must be their definition of instant :slight_smile:

It's nice to see that they actually do random reviews, rather than just
issuing everything requested. I use startssl and have not had anything
held for review.

6

John Peach (john-nanog) writes:

>
> "Your request is being held up for review by our personnel".
>
> Up to 6 hours. Must be their definition of instant :slight_smile:

It's nice to see that they actually do random reviews, rather than just
issuing everything requested. I use startssl and have not had anything
held for review.

  And I did get my account and cert shortly after. So they are quick.

  On the other hand, I'm not sure I'd trust a cert where they
  happen to be the ones generating the key and the CSR themselves.
  Yes, it's free, but that doesn't mean I want to give up all forms
  of security :slight_smile:

  Cheers,
  Phil

7

Are there any providers that target someone with my desires? What
providers do NANOG folks use for their _personal_ needs?

none at all, we choose NOT to make ourselves dependant on external suppliers as far as posibble and this includes NOT having SSL which is lacky in encryption, as well as overal security (bufferoverflows and what not) anyway, as well as "external parties" having YOUR keys. (whomever came up with that idea must work for some other government or have been on crack :wink:

in short: no go, just encrypt your layer 2/3 if you don't trust the "way there" with a mechanism of your own, not supplied by un screened third parties

(quite sure verybad notwork solution is full of cia spies, but we have none of ours in there, so screw them :wink:

8

toor (lists) writes:
> I use http://www.startssl.com/ for all my personal certifcates. I have
> not had any issues with the validations (once you have an account you
> can validate a domain by sending an email to a predefined list of
> contact addresses) and the certificates are issued instantly.

  "Your request is being held up for review by our personnel"\.

  Up to 6 hours\. Must be their definition of instant :\)

It's nice to see that they actually do random reviews, rather than just
issuing everything requested. I use startssl and have not had anything
held for review.

I've had most of mine held, but almost always I get a response in side
of 20 mins. Really, what I care about here is:
  1) cert validates in almost all clients (mozilla/chrome/mail.app)
  2) controlled/secured by my key, not something made up on the server side
  3) not paying money for random bytes.

it works and eddy's pretty quick on requests.

-chris

9

John Peach (john-nanog) writes:

>
> "Your request is being held up for review by our personnel".
>
> Up to 6 hours. Must be their definition of instant :slight_smile:

It's nice to see that they actually do random reviews, rather than just
issuing everything requested. I use startssl and have not had anything
held for review.

   And I did get my account and cert shortly after\. So they are quick\.

   On the other hand, I'm not sure I'd trust a cert where they
   happen to be the ones generating the key and the CSR themselves\.
   Yes, it's free, but that doesn't mean I want to give up all forms
   of security :\)

<http://goo.gl/thGxC&gt; (sorry, the blog's url is stupid and long)

use your own key materials and gen your own csr ... silly simple.

10

Greetings I'll +1 Chris's experience with startssl

11

Yep someone else pointed me to this off list. Very useful - thanks!

Cheers
Phil

12

I received a number of interesting replies, most off-list, so I thought
I would summarize and perhaps restart the discussion.

Many folks pushed the "run your own CA" idea. While I get that works,
and even secures the communication, if you run a web site accessed by
random folks it will confuse some percentage of them.

StartCom (www.startssl.com) seems to be the only 100% free option, with
a few limitations. You must own your own domain (for instance they
validate your e-mail based on the ones listed in whois), and the certs
have the Organization set to "Persona not validated". This doesn't
prevent the certs from working fine and "locking the padlock", but if
someone looks at it may raise an eyebrow. Still, it's free, you can
generate a personal cert for e-mail and certs for web, smtps, jabber,
etc. Multiple certs are no problem. For 100% free, it's the only
option anyone has mentioned.

From there, you can move up to "cheap" with a couple of options. With
StartCom a $60 upcharge will verify a _person_. From that you can
generate unlimited certs for the domains you own, a pricing model I
think is really nice. They are good for 2 years, although the
verification is only good for 1 year. So it's $60 every 2 years if
you're not doing any new cert issues in that time, or $60 every year if
you are; but the lack of a per-cert charge makes this a pretty good deal
if you run a bunch of domains.

In the per-cert realm, both CheapSSL.COM ($8.95/cert/year) and RapidSSL
($49/cert/3year) offer relatively cheap per-cert pricing for one and
three year certs, respectively. Depending on needs these may be cheaper
or more expensive than StartCom.

I am personally trying out the StartCom free for S/MIME, HTTPS,
SMTPS, and IMAPS right now, and they are working quite nicely thus
far. If the testing goes well with all clients I may upgrade to
their verified product.

One last interesting idea that's not quite ready for prime time.
There's an IETF working group called DANE which has code in Chrome:
https://datatracker.ietf.org/wg/dane/

The idea is pretty simple, DNSSEC sign your zones, and then publish your
own key material in DNS. By doing this there is no need for a CA at all,
which eliminates not only cost but the trust and security issues with
the CA's. Of course it moves the trust and security to DNS, but at
least two folks argued that DNS (management) has proved more secure than
CA's, and at least here were fewer players to audit and trust.