

Ask HN: Where should I buy an SSL certificate for my site? - shimon

I need some help navigating the SSL cert oligopoly.  What vendor has a reasonable price while delivering a no-scary-messages experience in virtually all browsers?<p>Personal experience with various vendors and any gotchas I haven't thought are especially welcome.
======
rarrrrrr
FYI, if you buy a wildcard cert covering .example.com, example.com itself does
not match -- only subdomains do.

~~~
iigs
This is true, and it makes hosting www.example.com and example.com on the same
IP somewhat difficult. Certain newer browsers understand the Subject
Alternative Name format. Here's a link about it:
<http://www.digicert.com/subject-alternative-name.htm>

I don't know anything about the linked site, so I'm not endorsing their
products.

~~~
metachor
Digicert is a legitimate provider of SSL certificates (my company uses them
pretty much exclusively; I don't think they are any better or worse than other
SSL providers that I've used professionally).

One exceptional thing Digicert provides is good practical documentation for
generating a certificate signing request and applying a purchased certificate
to any web or application server. Makes it really easy for junior admins to
get up to speed when they have to apply certs to everything from IIS to
Apache, Tomcat JBoss, etc within the same environment.

~~~
mishmash
Actively considering using Digicert here so your info is appreciated.

We can work around the primary domain not matching because our landing page
has no real need for SSL, however, we do very much need iPhone support on the
subdomains.

Would you happen to know if Digicert Wildcard SSL certs work on the iPhone?
Thanks

~~~
robertss
The DigiCert Wildcard cert does work on the iPhone.

~~~
mishmash
Great, thanks.

------
tontoa4
I paid $14.99 for a GoDaddy certificate and I was up and going within a few
minutes. The certificate creation process was pretty simple. You have to
search "SSL Certificate" in Google to get the reduced price, otherwise they
charge about $10 more.

~~~
jeremyw
Note that new domain registrations at Namecheap currently include a free SSL
cert (1st free), and you can use them for arbitrary hostnames. Roughly same
distribution of the parent cert in browsers.

~~~
streety
I've used namecheap to set up a cert for my site. It's the only one I've set
up so far so I can't compare them to other vendors but I had no problems and
would happily use them again.

------
run4yourlives
Verisign and move on, or use your hosting firm if they provide the service.
This isn't a question worth your time, really.

~~~
briansmith
Verisign is the only realistic choice if you want your website to work with
older mobile browsers and low-end mobile browsers. Many phones from as
recently as two years ago only have the Verisign root cert installed in them.

If Verisign is too pricey, and you are willing to lock out older and low-end
devices, but not all devices, then GeoTrust QuickSSL is the only alternative.
QuickSSL is cheap enough that there isn't any reason to try to find something
cheaper.

All other certificates being sold have one or more of the following problems:
the root cert is in few devices or only in recent devices, the root cert is
present in devices but will expire in the next 2-3 years, the certificate is a
chained one which won't work in some devices, the root certificate uses
relatively weak crypto (1024-bit key or MD5 signature), or there is some other
problem which I cannot remember off the top of my head.

------
ropiku
GoDaddy is pretty cheap and I don't see why you shouldn't use them.

~~~
olefoo
You want to beware of what you're buying, chained certificates are OK if it's
for something where you have a small number of users (say site admins) but you
will look like an incompetent nitwit if your clients customers are getting
browser security errors because they don't have the intermediate certificate
installed in their browser.

My recommendation for ease of use and fast turnaround is Geotrust or one of
their resellers.

~~~
tlrobinson
I think the ones from GoDaddy work fine in most browsers. Or no?

~~~
teej
Actually, firefox 3 on xp is missing a godaddy cert line. Just install the
certificate chain/bundle instead of the lone certificate and you'll be ok.

~~~
iigs
There are certain corner cases where this doesn't work (one that comes to mind
is WPA enterprise certificate negotiation in Windows XP, completely unrelated
to HTTPS).

If the requirement for "virtually all browsers" includes esoteric mobile stuff
I'd be concerned about intermediate certificate authorities. If you're doing
desktop applications/common mobile applications, these providers will have
solutions for you.

------
nickf
If anyone needs a cert (including the OP if he hasn't purchased yet) and help
setting it up on pretty much any server/device/platform - email me. My address
is on my profile. Mention HN and this thread, and I'll make sure you're looked
after ;)

[Disclosure: I work for a CA.]

------
mkull
we used thawte, but wish we used verisign because they have a cooler 'secured
by' icon ;p

seriously

------
socialtistics
Most of the resellers out there are reselling Comodo certificates. Comodo is
probably the leader in terms of number of certificates issued and you can buy
direct direct from them to save the middleman. They offer two classes of
certificates but both are essentially the same. The difference is the amount
of insurance Comodo provides you and the level of authentication you must go
through to prove who you say you are.

You can check them both out at: <http://www.instantssl.com/> (the lower end)
<http://www.enterprisessl.com/> (the higher end)

~~~
briansmith
Comodo's default InstantSSL root is not present in many devices (Nokia Series
40 and Windows Mobile in particular, IIRC). If you file a support ticket they
will issue you a certificate chained to a different root. But, that root
certificate is going to expire relatively quickly, and it is hit-or-miss
whether Comodo will charge you extra for it (since it effectively makes your
cert. an EnterpriseSSL cert.).

Comodo is also on the verge of getting its trust taken away from them, due to
negligent behavior that was widely reported a month or two ago. If any more
negligent behavior is discovered (not unlikely), I think browser makers will
be forced to remove Comodo's root, making all their certs worthless. (They are
already worthless to me.)

~~~
christefano
Here's an article about said negligent behavior:
<https://blog.startcom.org/?p=145>

------
BlueSkies
I started my search by looking at the providers that offered certificates
accepted by Firefox and Internet Explorer. My next level of filtering was to
look at cost and the ability to try the certificate for free during a trial
period.

I settled on Comodo (instantssl.com). The evaluation period went perfectly. At
the end of the period, I paid (I seem to recall $99) for a one year
certificate. They required a couple forms of indentification (driver's
license, utility bill) and the process went smoothly. I am using the
certificate now at bigtweet.com.

------
robertss
You can find reviews and ratings of SSL vendors at
<http://www.sslshopper.com/certificate-authority-reviews.html>

------
blender
I recently researched this and I thought Digicert looked pretty good. Digicert
includes Subject Alternative Name.

Our CEO insisted on VeriSign so that's what we went with - way more expensive
and to get both www.example.com and example.com you either have to buy another
cert (for example.com) or go through their Sales team's Managed PKI to get a
SAN - ridiculous!

Cheers

------
plaes
cacert.org - And it is free :)

And running multiple SSL/https domains from a single IP is also possible when
using recent enough software (Apache with mod_ssl which has SNI support). More
info about the SNI here -
<http://en.wikipedia.org/wiki/Server_Name_Indication>

~~~
olefoo
SNI is not supported by IE6 or earlier, and probably not feasible if you're
trying to reach older mobile browsers (or even current ones, iPhone does not
support it).

Which really sucks because it is an elegant solution to a very real problem.

------
tylermenezes
I honestly don't think it matters too much. You can get certs from $15-$20,
and, while most of them will try to upsell you to a more "secure" version to
"give your visitors confidence", 90% of your visitors probably won't know who
issued your certificate. As long as it's trusted in MSIE, Firefox, and Opera
you'll be fine.

------
braindead_in
I recently bought a domain from namecheap and got a 1 year SSL free. Havent
tried it out though.

~~~
rms
I'm using it and it works. Note that isn't just domains that give you a free
SSL certificate, it's just about any product they sell, like Whois Guard. Make
sure to add it to your cart at the right stage of the process, though.

------
hikari17
What about thawte?

~~~
DenisM
I'm using thawte and am very pleased with it. Compatibility was great in my
tests - it covered all mobile devices (Windows Mobile at the time) and desktop
browsers I cared about.

The also gave me a follow-up phone call to make sure everything went well
(there were NOT trying to upsell, it was a genuine help offer).

------
dhess
Anyone here have experience with StartCom? <http://cert.startcom.org/>

------
merrick33
Network Solutions Pro certificate was easy to setup, offers good value at
$139/year.

~~~
sangaya
I'll second this. Verisign is a racket. Network Solutions is still a reputable
company and provides the cert at a good price.

------
sankara
I found trustico to be the cheapest so far. Their service is decent too.

------
mikeyur
I went with a comodo SSL through NameCheap.com - works great.

~~~
christefano
I'd have a hard time trusting Comodo. It's been recently shown that they will
issue a certificate for any website to anyone at all, without verification:
<https://blog.startcom.org/?p=145>

------
sirsean
Trustwave

