Ask HN: where do you get your SSL certificates?
I got a certificate from GoDaddy, and it only seems to work without throwing user warnings on only a handful of browsers (FF on windows, but not on Linux, not chrome, etc). Shelling
out several hundred bucks for a Verisign certificate seems awfully steep for a shoe string operation. Are there better alternatives?
53 comments
[ 0.86 ms ] story [ 128 ms ] threadI would try these sites:
- http://instantssl.com (comodo)
- http://www.sslmatic.com (retailer of various)
That should be a start.
Also, you might want to provide a bit more about the cert you currently have if you want to know why it's not working on other browsers. Finally, you might want to consider asking/browsing on serverfault.com. There are good discussions on the topic of SSL on that site.
Guess I'll have to check the other combinations later.
I would double check the configuration. Maybe something is up with the intermediate certificate?
Cheap, no certificate chain, and everything seems to have the roots installed.
It doesn't really matter where you get them from, the whole thing is a bit of a scam anyway. Since your security is as weak as the worst issuer, there's no point in buying a "premium" certificate.
True for most of us here, but not universally true. Extended validation certificates are expensive but provide an unparalleled level of reassurance for users: http://en.wikipedia.org/wiki/Extended_Validation_Certificate
We personally use Comodo for our 'cheap' certificates as we get massive buy discounts and GlobalSign for EV as they've have a 2048 bit default root since the start.
(defining 'should' here is difficult)
- http://www.securityfocus.com/print/columnists/405 - read the linked PDF, if you haven't already - it's pretty eye-opening. - http://i.imgur.com/u7PFH.jpg - this turned up on reddit the other day.
The server count option tells us how many physical servers you intend to install RapidSSL Wildcard on. A licence will be activated for each physical server installation and you must pay the full product price for each additional server installation. Most customers choose to install RapidSSL Wildcard on 1 physical server only. RapidSSL Wildcard includes 1 server licence free of charge and can be installed an unlimited number of times on each licenced physical server.
Licenced SSL certificates per server? Come on.
Obviously, they are a small CA, which means they are not recognised on some exotic platforms, but I haven't ran into any of those cases myself. Also, they require an intermediate certificate, but that was a no-brainer to setup. I have one up on my personal website, if you want to try if it works for you: https://micheljansen.org
GoDaddy itself is not a trusted CA on all platforms. It is backed by a trusted CA. To make this work, you have to add a "certificate chain" in your web server and provide the additional certificate linking GoDaddy to that trusted CA.
Read more about the configuration here. Note that you'll have to download one additional certificate, not just the main signed certificate. http://help.godaddy.com/article/5346
Here is what my ssl.conf looks like in Apache:
That gd_bundle.crt is what you're probably missing. Hope this helps.Part 3 here: http://nginx.groups.wuyasea.com/articles/how-to-setup-godadd...
Anyone have experience with Dreamhost SSL?
I believe they just resell comodo from when I used it last, but you could probably check
Having the domain name as the certificate "Organization" value is not an issue for us.
http://en.gandi.net/ssl
http://en.gandi.net/ssl
Fast provisioning and a simple-to-use interface. I've bought many certs from them and am very satisfied.
One nice thing they do is give you a www alt name for your domain. (e.g. alt name == www.apple.com for domain apple.com). Thawte charges a minimum of $169 for this.
This means that your certificate will be able to be used by www.domain.com and domain.com.
Some certs aren't able to be used for both (https://amazon.com), and the alternative is to buy two certs.
After reading this thread [1] I bought LeadNuke's SSL cert from NameCheap (a rebranded RapidSSL certificate). Sure enough it was incredibly easy to setup, and is trusted on all the main browsers.
[1] http://news.ycombinator.com/item?id=1318340