
Ask HN: For a startup which SSL certificate authority would you recommend & why? - skrish
I am trying to find a trusted &#38; not too expensive SSL certificate authority with wild card support for multiple subdomains.<p>This is what I found so far:<p>DigitCert - Seems to be a good option. Their support &#38; ratings seems quite good based on reviews. $595 for their unlimited wildcard plus certificate.<p>Thawte - Comparatively higher price compared to Digicert. Not sure how their support is.<p>Verisign - Submitted request to find which plan of theirs supports wild card certification.<p>Comodo - Cheaper but several issues were reported even recently in HN few months back - especially the issue in Iran where their Private key was released.<p>Godaddy - We do not want to go near it anyway.<p>Your recommendations for any good providers who are priced much lower for startups will be very helpful. Thanks!
======
marshray
I'll probably be downvoted for this, but if I were you I would try to avoid
getting wildcard certs.

Once you have a wildcard cert, you'll find all kinds of places you want to
start using it...the web site, the production system, the blog, the mail
server, the remote access server, and so on. But effectively they mean that
if, say, your blog gets pwned, then _everything_ in your production is pwned
and has to be revoked and re-certificated (and the security advisory is much
uglier).

Find an inexpensive one of the top 10 CAs (other than GoDaddy of course) - it
hardly matters which. IMHO there's no reason you should have to pay per-server
for a cert. It makes disappointingly little difference who you go with on the
server side, especially if you generate your own keys and CSR, then the CA
never even sees your private key.

Comodo's private key was not hacked. They did issue some fraudulent certs
through hacked resellers, but that compromised the security of _all users_
equally.

~~~
skrish
Thanks. For my SAAS app where I need to issue
<<customername>>.<<mydomain>>.com it will be very expensive to start with if I
do not go for wildcard.

I understand the risk & re-certification issue and will look into this
further.

~~~
marshray
You should fully understand the same-origin implications of such a design
before deploying it.

For example, if <<customername>> is able to set cookies or run script (e.g.,
via XSS), they will be able to set cookies that affect _everything_ under
<<mydomain>>.com. Under some circumstances they will even be able to read back
the values.

Here's a good site to keep you awake at night:
[http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-
not-...](http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-
design.html)

------
pasbesoin
With the caveat that I realize Namecheap has been getting a lot of positive
publicity here, lately, I'll mention that they continue to offer low prices on
RapidSSL certificates. I haven't used them, but comments I've read over the
last several years have left me with the impression that RapidSSL certificates
are fairly well regarded and are generally considered a good, economical
choice.

As you can see from the page, Namecheap also has a significant variety of
other certificate choices.

HTH

(And I've nothing to do with Namecheap, other than being a small customer of
theirs.)

[https://www.namecheap.com/ssl-certificates/geotrust-ssl-
cert...](https://www.namecheap.com/ssl-certificates/geotrust-ssl-
certificates.aspx)

And if you want organization validation, for example:

[https://www.namecheap.com/ssl-certificates/geotrust-ssl-
cert...](https://www.namecheap.com/ssl-certificates/geotrust-ssl-
certificates/business-validated.aspx)

------
girishm
At freshdesk we use Digicert and are quite happy with them.No major problems
in setting up or ongoing maintenance. Whenever we needed support they have
responded promptly. Would gladly recommend them.

------
Benares
I have used StartCom for a few years, and have had positive experiences every
time I needed to contact a person for help. They seem to be an ethical
company.

------
dawson
We use instantssl (comodo) and are very happy, no issues [yet].

