

Ask HN: where do you get your SSL certificates? - yarek

I got a certificate from GoDaddy, and it only seems to work without throwing user warnings on only a handful of browsers (FF on windows, but not on Linux, not chrome, etc).  Shelling
out several hundred bucks for a Verisign certificate seems awfully steep for a shoe string operation.  Are there better alternatives?
======
d_r
This is a known issue with GoDaddy certificates, and can be corrected by
specifying an intermediate cert. I ran into the same issue at one point in the
past and had to Google a bit to fix it.

GoDaddy itself is not a trusted CA on all platforms. It is backed by a trusted
CA. To make this work, you have to add a "certificate chain" in your web
server and provide the additional certificate linking GoDaddy to that trusted
CA.

Read more about the configuration here. Note that you'll have to download one
additional certificate, not just the main signed certificate.
<http://help.godaddy.com/article/5346>

Here is what my ssl.conf looks like in Apache:

    
    
       SSLCertificateFile /etc/httpd/foo.crt
       SSLCertificateKeyFile /etc/httpd/foo.key
       SSLCertificateChainFile /etc/httpd/gd_bundle.crt
    

That gd_bundle.crt is what you're probably missing. Hope this helps.

~~~
chuhnk
I use godaddy cert's at work and have ran into the same issue. A tip for
anyone using nginx. Cat the intermediate cert into your ssl certificate file.
It fixes the warnings.

Part 3 here: [http://nginx.groups.wuyasea.com/articles/how-to-setup-
godadd...](http://nginx.groups.wuyasea.com/articles/how-to-setup-godaddy-ssl-
certificate-on-nginx/2)

------
bensummers
[http://www.trustico.co.uk/products/rapidssl/cheap-
rapidssl-s...](http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-ssl-
certificate.php)

Cheap, no certificate chain, and everything seems to have the roots installed.

It doesn't really matter where you get them from, the whole thing is a bit of
a scam anyway. Since your security is as weak as the worst issuer, there's no
point in buying a "premium" certificate.

~~~
petercooper
_Since your security is as weak as the worst issuer, there's no point in
buying a "premium" certificate._

True for most of us here, but not universally true. Extended validation
certificates are expensive but provide an unparalleled level of reassurance
for users: <http://en.wikipedia.org/wiki/Extended_Validation_Certificate>

~~~
bnoordhuis
I respectfully disagree. I recently bought an EV certificate from VeriSign
and, apart from some paperwork, the only "extended" validation was a two
minute phone call from a VeriSign rep. Well worth the EUR 575,- :/

~~~
sirclueless
I assume they verified that you are in fact a citizen of a first-world
country, possibly with an actual company that pays its taxes. That's basically
all the trust an average site needs. It's not so much that your website can
now be trusted to never do anything nasty, but if it ever does there is
someone to hold accountable.

~~~
carl_
There will of been at minimum checking for address and phone listings for the
company (yell or scoot for UK EV's) in addition to the human telephone
validation for signer and approver.

------
noibl
I use NameCheap's RapidSSL product for $10/yr. The only thing I don't like
about it is that when you register, the 'Organization' value you enter gets
overwritten with the common name/domain name. This means that when someone
reads the certificate details in their browser, they can't find any reference
to your actual company name.

~~~
dpapathanasiou
We also went with this option, after finding out about it here on HN about a
month ago: <http://news.ycombinator.com/item?id=1317987>

Having the domain name as the certificate "Organization" value is not an issue
for us.

------
nopal
I like DigiCert.

One nice thing they do is give you a www alt name for your domain. (e.g. alt
name == www.apple.com for domain apple.com). Thawte charges a minimum of $169
for this.

This means that your certificate will be able to be used by www.domain.com and
domain.com.

Some certs aren't able to be used for both (<https://amazon.com>), and the
alternative is to buy two certs.

------
andymoe
Check out this thread: <http://news.ycombinator.com/item?id=464916>

Also, you might want to provide a bit more about the cert you currently have
if you want to know why it's not working on other browsers. Finally, you might
want to consider asking/browsing on serverfault.com. There are good
discussions on the topic of SSL on that site.

------
JangoSteve
I bought RateMyStudentRental's SSL cert from Godaddy and it was a PITA to
setup compared to if you get a trusted root certificate (that does not need to
be chained).

After reading this thread [1] I bought LeadNuke's SSL cert from NameCheap (a
rebranded RapidSSL certificate). Sure enough it was incredibly easy to setup,
and is trusted on all the main browsers.

[1] <http://news.ycombinator.com/item?id=1318340>

------
sern
StartCom - their "domain validated" certificates (which other CAs charge for)
are free: <http://www.startssl.com/>

~~~
zmmmmm
StartCom is great, but 2 caveats: I found that StartCom's root authority is
not recognized by some IE6 installs, and is still not recognized by Java (so
applets, web start, java clients talking to your server _may_ have problems
...).

~~~
ROFISH
The first time a user goes to StartCom on Windows XP on IE6, it will pop up
with a "cert error". This is because the user hasn't recently updated their
root certs through a super-optional Windows Update install. However, any
subsequent loads will work as Windows will check and update their root
certificates in the background.

------
shin_lao
We like Gandi, they offer very good customer service.

<http://en.gandi.net/ssl>

------
david_p
I use gandi.net. Gandi provides a free SSL certificate (for one year) when you
buy/renew a domain from them. It's quite a good deal.

<http://en.gandi.net/ssl>

------
evandavid
I was thinking about this just today. I want a cert to use with Heroku. I love
Dreamhost and I use them for all my static websites, backup storage, git
hosting, and domain registration. They provide SSl certs for $15, but I've
never bought one and they don't provide a lot of details. They mention that
you can use them with other hosts, but not much else.

Anyone have experience with Dreamhost SSL?

~~~
smiler
I've used them and they work fine. They say they don't provide IIS support
(indeed, the format of their certs doesn't work for IIS, but you can use an
online convertor to get them into the right format).

I believe they just resell comodo from when I used it last, but you could
probably check

------
Judson
We use a Comodo certificate, but it's been so long since we got it issued, I
don't think they even offer it anymore?!?

I would try these sites:

\- <http://instantssl.com> (comodo)

\- <http://www.sslmatic.com> (retailer of various)

That should be a start.

------
oomkiller
You probably forgot to combine the intermediate certs with your domain cert.
That said, I use startcom (<http://www.startssl.com/>). You can get free SSL
certs there that work in 99% of browsers. If you pay the identity verification
fee (I think about $50), you can get free WILDCARD certificates!

------
uptown
Are SSL certificates internationally recognized? In other words, if I have
users coming from both the US as well as a variety of other nations, will SSL
certificates be recognized regardless of the user's origin, or is there such a
thing as an international SSL certificate?

~~~
carl_
Yes, though check with your CA for IDN support.

------
resdirector
(Disclaimer: I don't know what I'm talking about) You might want to try
DigiCert: I researched a few different providers earlier this year, and
DigiCert seemed to be cheap and trusted. No direct experience with them, tho.

------
mkramlich
my next HTTPS cert will be from DynaDot since I liked how they run their DNS
registrar service (with optional API, yeah!) and generally got a "smart" vibe
from them. I've gotten certs from VeriSign and generally found it surprisingly
expensive, complex and slow. Fundamentally, a file needs to be generated.
Generating that file should be pretty fast on a modern computer, and a
commodity service. Yes there's some extra stuff potentially involved. But at
it's core it should be a pretty simple and fast and therefore cheap process.
IMO.

------
fookyong
<https://www.geocerts.com>

Fast provisioning and a simple-to-use interface. I've bought many certs from
them and am very satisfied.

------
yarek
Note: Used RapidSSL, paid $10.95. Best lunch's worth of money ever spent.
Beats GoDaddy, as no cert chains are not required.

------
stretchwithme
maybe something's wrong with how you configured it. Maybe the host name
doesn't match?

~~~
pyre
Why would that change between browsers and operating systems?

~~~
yarek
Because different browsers have different set of root certificates/authorities
to authenticate the certificate.

~~~
pyre
Ah. The host name on the root cert. I was thinking that the host name on the
server's certificate was being referenced.

------
svnv
We use thawte.

~~~
ScottWhigham
I've tried using thawte - I placed 3 sales calls and an email. No one ever
answered the phone (an 800 number!) and it took three weeks for someone to
call me back after the email. No thanks

~~~
superk
Seconded - their support and checkout process all suck hard. What's great
about SSL's... they are all scams.. but you get to decide the level for which
they screw you.

~~~
pstevensza
Yup. Their interface doesn't even support the ability to add licenses to an
existing certificate since their software update. Thanks but no thanks, I can
save my company a bomb by going elsewhere

------
bhiggins
I got a free 3 month certificate from Comodo and then I used a promotional
offer from RapidSSL for Comodo customers to get a free 1 year cert (in
addition to 3 months). Result: free 15 month certificate.

