

Ask HN: What's the best company to buy SSL certificates from? - llambda


======
danbee
StartSSL (<https://www.startssl.com>) are very good in my experience. Class 1
certificates are free.

~~~
jusob
The best option if you want a wild card certificate, a certificate that
includes different domains, or many certificates.

------
jstanley
Honest Achmed's Used Cars and Certificates:
<https://bugzilla.mozilla.org/show_bug.cgi?id=647959>

~~~
citruspi
> Achmed's business plan is to sell a sufficiently large number of
> certificates as quickly as possible in order to become too big to fail (see
> "regulatory capture"), at which point most of the rest of this application
> will become irrelevant.

Now that's honest.

------
nlh
I can't say whether they're the "best" or not, but I've used NameCheap for
everything and have been extremely happy with them. Plenty of options, very
good cost.

The only time I didn't use them was a weird edge case recently where I needed
a multi-domain certificate, and NameCheap did not support those, so I
purchased direct from GeoTrust.

~~~
Osiris
I have a PositiveSSL from Namecheap. It's about $8 a year or so.

~~~
andrewmunsell
Plus, they used to offer $2 PositiveSSL certificates (for the first year) with
the purchase of a domain. Not sure if they still do that, though.

~~~
palidanx
What I discovered unfortunately is the PositiveSSL certs often fail on
browsers of mobile devices (safari/iphone, chrome/nexus).

I ended up getting an EssentialSSL Cert from namecheap.

~~~
treahauet
I had a similar issue where Firefox didn't like Namecheap's certs, but I
started including the chain certificate as well and it worked great. Maybe
something like that had the same affect in that case?

------
somesay
There is no real bad or insecure option. Just make sure the CA is supported by
all the platforms / browser you need and that the price is fair. Additionally
you may check that their revocation servers have a good internet connection
since browsers check these.

It is even totally unimportant if your provider is "insecure". If any of the
commonly trusted CAs is hacked it affects the security of your service as well
as if it's the CA you use.

Therefore I would go with StartSSL (<https://www.startssl.com/>). They are
trusted on all important plattforms, are free for one subdomain per domain and
very cheap otherwise. You only pay the verification of your identity,
unlimited domains, wildcard etc. then. I haven't seen any cheaper one. You
might get some competitive prices if you combine the use of single subdomain
ones through SNI, but I wouldn't prefer that over a inexpensive wildcard one.

What is the worst that can happen? If the revocation servers go down, the
browser just shows a small warning symbol, but everything still works. If your
CA gets hacked and untrusted in common browser, you have to buy a cert
somewhere else ... this is the risk of every CA and a new cert is just minutes
away ...

There is no way to determine who is more secure against hacks etc. If they are
trusted where you need them, they are all equal.

------
petercooper
As others, I can't say they're the "best" but when I did a straw poll on
Twitter a few years ago, I was recommended RapidSSL. I've used them on my own
sites and for clients since then without any fuss (5 minutes and one automated
call). They seem to be very one size fits all though, quick and easy, but
nothing fancy like EV. (If anyone can help there actually, any recs for good
but non-expensive EV providers?)

~~~
somesay
> If anyone can help there actually, any recs for good but non-expensive EV
> providers?

StartSSL wants $200 for two years, additional ones cost $50 then. Haven't seen
anything cheaper.

------
flavmartins
DigiCert.com is the CA that will give you the trust and assurance with the
high verification standards that you would get with the Verisigns (Symantec)
of the world but with the start-up like cool customer service and affordable
price that customers today deserve.

The cheapest SSL options there ($20 and under) offer NO verification of the
applicant of the certificate. Thus, you could be a scammer for all they care,
as long as you control your site (even a phishing site) they've give you the
"domain validated" certificate.

Stick with either EV (green bar, extra assurance) or a high-assurance only
shop like DigiCert, Symantec, Entrust, or GlobalSign. It'll also show your
users you care about trust and identity assurance online.

~~~
zokier
> The cheapest SSL options there ($20 and under) offer NO verification of the
> applicant of the certificate

Could you explain why that matters for the site owner?

~~~
somesay
It doesn't matter in any way. Especially it has no influence on security. A
cert that works works. You might be interested in additional features like EV
for the green/blue address bar or a assurance. But that's not the point.

------
espeed
Click on the green lock symbol in Chrome to see what certificates each site
uses.

Google issues its own, GitHub uses DigiCert(<http://www.digicert.com>), Hacker
News uses Entrust (<http://www.entrust.net>).

In general, Verisign (<http://www.verisign.com/>) will be the most expensive
and presumably the most widely supported, but there's no need to pay up for it
when DigiCert will work just as well.

~~~
samuelkadolph
Google has their own intermediate certificate. The root they use is Equifax.

------
sdfjkl
I get mine from Gandi.net, along with the domain. If you just need a single
CN, it's free for the first year. Verification is automated and usually done
within the hour.

------
gmays
I don't know if there's a best, but I use DigiCert.com. They're the perfect
combination of easy, quick and affordable. Plus, the support is great.

------
pearkes
You can buy a RapidSSL standard cert through DNSimple[1] for $20. Easier to
set-up then doing it yourself too.

[https://dl.dropboxusercontent.com/s/x7q6tme55gerkql/2013-05-...](https://dl.dropboxusercontent.com/s/x7q6tme55gerkql/2013-05-12_at_8.16.19_PM.png)

[1] <https://dnsimple.com>

~~~
alternize
the same rapidssl certificate is $9.45 from namecheap.

after having been a reseller for geotrust for years, lately, i ended up buying
all my certificates from namecheap. the namecheap end user prices are even
lower than my rapidssl reseller prices...

------
artas_bartas
<http://swisssign.com/en> might not be the cheapest option, but definitely has
some extra cachet. They are really conservative and most of the approval
process is manual, but support staff is friendly.

------
mooism2
I expect it will depend on:

a. whether you want a certificate for a single hostname, several hostnames, or
a wildcard;

b. whether you want extended validation or not; and possibly

c. what country you're based in.

Perhaps other factors as well.

~~~
somesay
> c. what country you're based in.

How is that relevant? I would also say the targeted plattforms (which browser,
OS) are the most important point.

------
ConceitedCode
What's a company that you wouldn't ever buy an SSL certificate from again?
They all seems about the same to me and I don't think I have ever heard of a
bad one.

~~~
DanBC
> I don't think I have ever heard of a bad one.

Diginotar

------
simonswords82
I use rapidssl.com - no complaints with their service.

------
dynabros
Is the extra EV (extended validation) add on worth anything?

~~~
somesay
Not in case of security, but you get likely more trust from your visitors.
Also might include some assurance thing you can use or advertise with. But I
wouldn't say it has any bad influence if it's missing, as long as you aren't a
payment provider or something like that.

