
SSLMate – Buy SSL certs from the command line - sleepyhead
https://sslmate.com
======
dankohn1
Take a look at [https://letsencrypt.org/](https://letsencrypt.org/) which will
(mid-year) let you get a cert from the command, for free!, and automatically
renew it as well.

~~~
WaxProlix
Is this live? It says it's coming 'mid 2015', and the standard (Ubuntu 12.04
LTS, I believe) repos don't seem to have any mention of it.

Edit for anyone else curious about this: No, the letsencrypt CA isn't ready
yet; there are test builds available for all of the software, but any certs
you get will not be properly signed, and your users will get nasty browser
warnings. Something to keep an eye on in the future, I guess.

~~~
tokenizerrr
No, it is not mid 2015 yet.

~~~
WaxProlix
Hence the edit, man.

------
ynak
Why are wildcard SSL certs so expensive? I want to use SSL certs on my
personal subdomains, but they are usually priced at around $150/year at least.
I hope let's encrypt will support multi or subdomains.

~~~
nisa
StartSSL offers as many wildcard certs as you want for a low fixed yearly fee
(50$)?

~~~
creshal
StartSSL is very much "you get what you pay for", though. Their web interface
is sporadically unreachable, and their validation is rather sloppy – as long
as you pay up, you can happily break their terms of service and still be re-
validated.

~~~
StavrosK
I never understood how that matters, though. My visitors will see a green bar,
job done. Breaking the ToS or not, I don't care as long as my address bar is
green. How is Verisign any different from StartSSL, in that regard?

~~~
creshal
> I never understood how that matters, though.

It will matter if StartCom is abused to print certificates for foreign
domains. Even if your domain isn't targeted, browsers and OS vendors will
probably react by invalidating all StartCom CA certs. That means no green bar.

~~~
nosefrog
Has this ever happened before? I'm genuinely curious, as I've heard this
warning often but it seems more like FUD than anything else.

~~~
zymhan
Google just removed CNNIC as a trusted CA from Chrome because of their sloppy
security and trust.

~~~
WorldWideWayne
CNNIC had provided "unauthorized digital certificates for several Google
domains" and in an update on April 1st Google said that "To assist customers
affected by this decision, for a limited time we will _allow CNNIC’s existing
certificates to continue to be marked as trusted in Chrome_ , through the use
of a publicly disclosed whitelist" \-
[http://googleonlinesecurity.blogspot.ro/2015/03/maintaining-...](http://googleonlinesecurity.blogspot.ro/2015/03/maintaining-
digital-certificate-security.html)

So, I doubt they would treat StartSSL any worse than they treated China.

------
bontoJR
This is really interesting. It's very annoying to always fire the browser the
renew/buy a certificate. I would definitely git it a shot for a standard one,
the wildcard looks quite expensive honestly. In other sources you can find it
at half-price with promo codes.

------
WA
This looks interesting. Couldn't figure it out right from the FAQ: If SSLMate
is a single-command buy & install, where do the certificate details (company
name etc.) come from? From my profile on the website?

~~~
agwa
Founder here. As nailer says, the only detail signed in a DV cert is the
hostname of your website. One of the crazy inefficiencies about buying certs
elsewhere is that they tell you to use the openssl req command to generate a
CSR. This prompts you for all sorts of details like your city, state, and
company name. This information is all ignored, and having to enter it is a
waste of time.

~~~
ryan-c
I've found that CAs sometimes actually do require the country to be present
for some reason. Anyway, in case it it useful to someone, here's a one-liner
to generate a key and CSR:

    
    
        DOMAIN=example.com sh -c 'openssl req -sha256 -nodes -new -newkey rsa:2048 -keyout "${DOMAIN}.key" -out "${DOMAIN}.csr" -subj "/C=US/CN=${DOMAIN}"'

~~~
agwa
Indeed, one of SSLMate's CAs actually does require the country code to be
present in the CSR, so SSLMate includes it (we get it from your online profile
so you don't have to type it every time). Despite this requirement, the
country code is not present in the signed certificate.

------
BetaMechazawa
This looks pretty cool. Although I do not understand why I would have to sign
up on the website. The demo makes it look like it's a minimal-config command
line tool. Instead the website makes it look like it's a service and there is
no clear indication who stores my creditcard info etc. on the front page. This
is explained in the FAQ though. A quick notice about stripe processing
payments on the front page would be nice.

~~~
agwa
True, the demo doesn't show the sign up process, but you only have to sign up
once and after that, buying certs is as simple as in the demo. (And the sign
up process is itself very quick.)

Thanks for the feedback about the credit card processing information. I'll
think about how to make that information more prominent.

~~~
tomjen3
Any reason you couldn't just have me enter the credit card info in the app?

------
kolev
Prices are much higher compared to Namecheap and their SSLs.com [0].

[0] [https://www.ssls.com/](https://www.ssls.com/)

~~~
agwa
Many of our customers realize that fact, but are nonetheless extremely happy
to use SSLMate. We're not a normal certificate vendor, and the ease and
automation of SSLMate sets us far apart. If these features aren't important to
you, Namecheap is a fine choice - I used them myself before creating SSLMate.

~~~
kolev
I understand, but during times when you can buy a decent whole web servers for
just $60 per year with traffic and all, the SSL certificate prices are just
outrageously high!

------
falcolas
I'm the paranoid type; I would have a very hard time trusting a certificate
key which was downloaded over the internet.

Where is the SSL key generated? If I create my own certificate and key, can I
pass the signing request over sslmate to get it signed?

I couldn't find the answers to these questions on your FAQ or in the
documentation.

~~~
sleepyhead
[https://github.com/SSLMate/sslmate/blob/master/bin/sslmate](https://github.com/SSLMate/sslmate/blob/master/bin/sslmate)

~~~
falcolas
Useful (and confirms that it makes the cert locally), but we shouldn't have to
read through the source code to get the overview of how the cert is created
and signed.

~~~
sleepyhead
"Your private SSL key is generated on your system and is never transmitted in
any way to our servers. The sslmate command is a simple script that anyone can
examine to verify that this is true."

[https://sslmate.com/faq](https://sslmate.com/faq)

~~~
agwa
You might also be interested in checking out our security page:
[https://sslmate.com/security](https://sslmate.com/security)

------
tomjen3
Apparently you still have to create an account on their website...

And at 15usd/year that is infinitively more expensive than lets encrypt.

So while I might use it today, I don't see how they plan to have much of a
future.

