6 comments

[ 4.1 ms ] story [ 17.7 ms ] thread
I just want some CA to offer cheap/affordable name constrained CA certs for domains I own. If I own `foo.com`, I should be able to get a cert that can sign certs for `foo.com,*.foo.com`.

Yes, yes, DANE, but it's not ubiquitous or even all that widely accepted.

What aspects of a plain wildcard cert wouldn't work for that?
"Affordable". Most CAs charge exorbitant prices for wildcard certificates; 10x the price of a normal cert isn't unusual.
By deploying the same certificate/key to every machine you really cut down on the 'private' part of the private key.
$29 seems kind of ridiculous when "free" is right around the corner:

https://letsencrypt.org/

(Even at that, $29 isn't a particularly great price for an SSL certificate. If you shop around, you can get them from reputable CAs for half the price.)

Yeah, a little misleading. $29 is an intro price for a Standard domain-validated SSL cert.

A multi-domain cert (which is cool), $149/yr for 3 domains, +$40 for each additional.

Wildcard, $150/yr.

EV Wildcard, $380/yr.

Unified Cert, $570/yr.