

Don't submit to the SSL cert racket. You can get one for no charge - vibrant
http://www.startssl.com/

======
stevelosh
I've used StartSSL in the past. I will never do so again.

Yes, the certs are free, and yes, they work in all common browsers. But the
process of obtaining them is a horror of Lovecraftian proportions. I'll
happily pay a few dollars to Namecheap to be able to avoid the nightmare that
is StartSSL's UI.

~~~
aiurtourist
I second this experience, and "Lovecraftian" is indeed an excellent way to
describe it. It's not just that the process was difficult, it's that my
confidence dwindled through every strange and baffling step.

Since you mentioned paying "a few dollars" to Namecheap, can you comment on
the feasibility of their $8.95 "PositiveSSL" certificate? (
<http://www.namecheap.com/ssl-certificates/comodo.aspx> )

~~~
foobarbazetc
The best (in terms of browser compatibility) cheap cert that Namecheap sell is
the RapidSSL cert at [http://www.namecheap.com/ssl-certificates/geotrust-ssl-
certi...](http://www.namecheap.com/ssl-certificates/geotrust-ssl-
certificates.aspx)

~~~
moe
Be aware though that GeoTrust and Thawte certs don't work[1] on android
devices. There are claims that it can be fixed by adding a cross-root cert[2]
but for me that didn't work out.

More generally: If you need to support mobile devices then read your CA's
compatibility list closely (if you can find it...) and test, test, test. You'd
think this shouldn't be an issue anymore in 2012, but it sadly still is.

[1] [http://www.zimbra.com/forums/administrators/44675-new-
geotru...](http://www.zimbra.com/forums/administrators/44675-new-geotrust-ssl-
certificates-android-users.html)

[2] [https://support.servertastic.com/entries/426677-rapidssl-
and...](https://support.servertastic.com/entries/426677-rapidssl-and-geotrust-
certificate-not-trusted-on-mobile-device)

~~~
foobarbazetc
Sigh. I spent way too much time picking these particular certs and they've
gone and messed it up. :)

The cross-root cert should work, but you need to make sure it's presented in
the right order, I think.

FWIW, my latest RapidSSL-through-Namecheap certs were issued by:

issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

And that's the "good"/trusted CA. I'm not sure when they made the switch, but
I only got this cert issued a couple of months ago.

FWIW, we also support Docomo phones, and that is a huge pain in the ass. The
only CA that works there is:

i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

If you don't need to support really old mobile devices, the best certs going
are, IMHO, Digicert. They get chained all the way back to Entrust:

1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV
CA-1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV
Root CA 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by
ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure
Server Certification Authority

And the company has some of the best customer service going anywhere.

~~~
chrisbolt
_If you don't need to support really old mobile devices, the best certs going
are, IMHO, Digicert. They get chained all the way back to Entrust:_

Not only that, they check your installed cert after you buy it and email you
if you installed it incorrectly: <http://www.digicert.com/help/>

~~~
pja
So does StartSSL.

------
yangez
I'd feel a lot better about using this if its website looked a bit more
professional.

~~~
kingofspain
This seems to have been downvoted but its not an invalid point. The web is old
enough now that a certain level of design is expected of things people need to
trust. A shop down a side alley with a hand written sign inspires less
confidence than something plastic on the high street - however wrong that
initial impression may be.

People with background knowledge may know startssl is legit/good but to a
newcomer I can easily see why their first impression is off.

~~~
billpatrianakos
Absolutely! I had never heard of Start before and I honestly thought for a
moment that maybe this was spam that had somehow got on to the front page as a
fluke. I'm serious. I'm not used to seeing a company website make it on the
front page of HN or HN at all without there actually being some kind of
article on the page you get to.

SSL certain are important and I don't think their design is helping them look
like a legit business. I trust they are after all the comments here but on
first glance I was skeptical and thought it was too good to be true. I know we
all pride ourselves on being smart, critical thinker that can look past a
site's design and see the true value behind it but I think in some cases it's
perfectly normal and acceptable to react this way to a design. Superficiality
be damned. I'd rather run from a poorly designed, non-legit looking site and
be safe rather than risking it and being sorry later because I gave in to the
PC, "don't be superficial" side of me.

------
huhtenberg
Keep in mind that Gandi includes 1 free SSL cert with every domain name. Per
year.

~~~
Macha
Only with the first year, if I'm reading their site right?

> With each domain name transferred to Gandi, we include a Standard SSL
> certificate for free the first year.

<https://www.gandi.net/domain/ssl#nav>

~~~
huhtenberg
Uhm. It is ambiguously worded, that's for sure -

    
    
      Included for free the first year with the purchase,
      transfer, or renewal of your domain name.
    

My understanding was that if I had a domain with them and renewed for another
year, that would fall under the "renewal" clause of the above.

------
DEinspanjer
I started to do Class 2 identification with StartSSL, but I chickened out
after they asked me to provide my marriage certificate and wife's personal
info.

They have a very detailed policy document describing all sorts of security
procedures they purport to adhere to, but I have no way to validate whether
they are actually following those policies and no recourse for me or my wife
even if it was determined that they are not following them.

That is just too risky for the value I would get out of the process.

(posted to twitter also
<https://twitter.com/#!/deinspanjer/status/158596876772450304> )

EDIT: I was contacted by Eddy Nigg with some follow up information. I should
have said that the reason they asked for my wife's info is because they wanted
phone bills and those are in my wife's name which isn't the same last name as
mine. That said, I'll still stand by my statement that the risk and complexity
vs. reward was just not suitable for me.

EDIT 2: Okay, they offer an alternative for validation: they can mail you a
registered letter with a validation code on it. That is much more acceptable
to me, so I'll continue on with the process to see how that goes.

------
js4all
Its worth to mention that their certificates cannot be used to secure a Java
web service because their CA is _not_ included in Java's cert bundle. I had to
learn this when I tried to callout to a web service (with a startcom cert)
from Salesforce.

Also their certs are only free as long as you don't need to revoke it.

~~~
Karunamon
Came here to say something like this. While the site is a bit of a pain, and
the certs are free, make damn sure you have your site configured the way you
want it before you generate the certificate.

It's $25 to revoke a cert, i.e. free up the name so you can use it again
elsewhere. I used part of my domain name for an XMPP cert that I later wanted
to use for a web subdomain with the same name.. nope. Stupid.

~~~
pagekalisedown
Why bother revoking? Get a new cert from someone else for 10$, ditch the old
one, done.

~~~
cinch
you'd want to revoke it if someone steals your private key.

~~~
Karunamon
Given the way Startcom operates, that could become expensive quickly. Since
your private key is your gateway into your account (Why they went with this
method instead of requiring a sensible password is beyond me, it's one of the
reasons their site is a huge pain...), theoretically every certificate you own
is compromised, and therefore you'd be out $25 for each one.

..ouch!

------
brianjolney
My understanding is free ones are not trusted/accepted by the browsers, hence
to have something that isnt tossing errors at your users requires a small
payment to a CA.

I've used positivessl from namecheap whenever I need certs, its something
crazy cheap like $5

~~~
elliottcarlson
_My understanding is free ones are not trusted/accepted by the browsers_

You might mean self-signed certificates?

~~~
charliesome
Well anyone could start their own CA and hand out free certificates. The
problem is that nobody trusts Joe Bloggs' new CA.

------
mike-cardwell
The SSL certificate for <https://grepular.com/> is from StartSSL. I renewed it
5 days ago. The CN is for "secure.grepular.com" (for historical reasons), with
a subjectAltName of "grepular.com"

I'd like to create a wild card certificate, but that costs money. My
understanding is that it is a one off fee (60USD) for them to validate your
identity and that it doesn't cost money to renew after that point. I could be
wrong though. It's not completely clear.

~~~
JoshTriplett
The identity validation expires every year, and you have to pay the $59.90
again to renew it. However, once you've validated your identity, you can
generate as many "class 2" certificates (including wildcard certificates) as
you like, and those certificates last 2 years.

------
meow
Is it possible to sign object code (.exe , .dll etc) with any SSL certificate
that we buy ? or does this have to be mentioned clearly in the list of
features of SSL certificate..

~~~
yardie
It's possible that an ssl certificate may have that capability added, but in
my experience they've always been sold as separate products. If you need a
code signing certificate the cheapest I've found was through Tucows. It's
hidden in their developer resource subdomain. We paid $199 for a 3 year code
signing cert.

------
micheljansen
I actually did pay them a bit, but only so that I could obtain "verified"
status and generate unlimited wildcard certificates for all of my domains.
It's a good deal :)

------
pbreit
I did not get a good feeling about StartSSL when I tried getting a free cert.
First, as many have pointed out, the web site experience is miserable.

Second, I just got a "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol
error." at <https://auth.startssl.com>

For a product that is supposed to be confidence inspiring, StartSSL is the
opposite.

~~~
mike-cardwell
You're supposed to have installed the client SSL certificate in your browser
before visiting that URL. It caught me out too initially. They use client side
SSL certificates for authentication. I don't know any other site which does
this.

~~~
xolox
It's the first time I came across client side certificates as well. As others
have pointed out you have to jump through a bunch of hoops to get a
certificate from StartSSL, but if your free time is cheaper than a certificate
from another party it can still be worth it (especially because the cost
repeats with other parties). I've been a happy customer for more than a year
now.

------
jusob
I'm using it. It is very great to get wildcard certificates, and multi-domain
certificates. Yes, their web interface is not great, but it does work.

------
fduran
I tried some time ago and didn't get the certificate or any email back, not
worth the hassle to save $20 imho.

------
Kudos
I went through the horrendous enrolment process only to find they don't issue
certs for subdomains.

~~~
moonlighter
Sure they do. I'm using a bunch of them right now. The only restriction
startSSL has is that they don't accept popular names like 'amazon' or 'google'
for subdomain names (I found out after I tried to get a cert for
'amazon.xxx.com' which we'd run in an AWS EC2 instance for testing). So we
switched to 'sandbox.xxx.com' and got the cert within minutes.

------
hohoho2012
upvoting advertising spam? get a free cert with openssl and a shell!

~~~
xolox
While technically possible that doesn't get you very far, you'd end up with a
self-signed certificate. That works fine except for the scary warnings (which
look a bit unprofessional). And of course if the client programs of your
service do not have an interface for accepting self-signed certificates,
you're back to square one.

~~~
hohoho2012
yes i know, this people scaring started with ff2,ie7? - there is nothing wrong
with self signed certs, except useless companys wanna make a quick buck
selling fud

~~~
ceejayoz
There absolutely should've been some sort of "encrypted but not verified"
handling for self-signed certificates. The current state of browsers is that
unencrypted HTTP is presented as safer than self-sign encrypted HTTPS. That's
lunacy.

Unfortunately, there isn't, and as a result self-signed certificates are
useless to anyone running a HTTPS site that expects any visitors.

~~~
kennethv
Though I don't enjoy the current sad state of affairs with regards to the
security and validation of CAs, there's something to be said for the old adage
that no security is better than false security, and trusting all self-signed
certificates would definitely be false security, since eavesdroppers could
just do a man-in-the-middle with their own self-signed certificate.

I'd personally be really happy to see something like <http://perspectives-
project.org/> instead of the current web of mistrust.

~~~
ceejayoz
> Though I don't enjoy the current sad state of affairs with regards to the
> security and validation of CAs, there's something to be said for the old
> adage that no security is better than false security, and trusting all self-
> signed certificates would definitely be false security, since eavesdroppers
> could just do a man-in-the-middle with their own self-signed certificate.

Currently, self-signed HTTPS is trusted _less_ than unecrypted HTTP. We don't
get a massive warning if visiting Facebook over HTTP, despite the MITM risk
_and_ the fact that data is being sent in clear to boot.

