Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: where do you get your SSL certificates?
77 points by yarek on June 15, 2010 | hide | past | web | favorite | 53 comments
I got a certificate from GoDaddy, and it only seems to work without throwing user warnings on only a handful of browsers (FF on windows, but not on Linux, not chrome, etc). Shelling out several hundred bucks for a Verisign certificate seems awfully steep for a shoe string operation. Are there better alternatives?

This is a known issue with GoDaddy certificates, and can be corrected by specifying an intermediate cert. I ran into the same issue at one point in the past and had to Google a bit to fix it.

GoDaddy itself is not a trusted CA on all platforms. It is backed by a trusted CA. To make this work, you have to add a "certificate chain" in your web server and provide the additional certificate linking GoDaddy to that trusted CA.

Read more about the configuration here. Note that you'll have to download one additional certificate, not just the main signed certificate. http://help.godaddy.com/article/5346

Here is what my ssl.conf looks like in Apache:

   SSLCertificateFile /etc/httpd/foo.crt
   SSLCertificateKeyFile /etc/httpd/foo.key
   SSLCertificateChainFile /etc/httpd/gd_bundle.crt
That gd_bundle.crt is what you're probably missing. Hope this helps.

I use godaddy cert's at work and have ran into the same issue. A tip for anyone using nginx. Cat the intermediate cert into your ssl certificate file. It fixes the warnings.

Part 3 here: http://nginx.groups.wuyasea.com/articles/how-to-setup-godadd...

Thanks for the info - sounds reasonable. Now I have to figure out how to make that work for hunchentoot.


Cheap, no certificate chain, and everything seems to have the roots installed.

It doesn't really matter where you get them from, the whole thing is a bit of a scam anyway. Since your security is as weak as the worst issuer, there's no point in buying a "premium" certificate.

Since your security is as weak as the worst issuer, there's no point in buying a "premium" certificate.

True for most of us here, but not universally true. Extended validation certificates are expensive but provide an unparalleled level of reassurance for users: http://en.wikipedia.org/wiki/Extended_Validation_Certificate

Yeah, I would disagree with this as well - they're supposed to provide more reassurance, but all the studies of user awareness of this - and security UI in general - generally conclude that almost nobody has a clue what these mean or even noticed their existence:

- http://www.securityfocus.com/print/columnists/405 - read the linked PDF, if you haven't already - it's pretty eye-opening. - http://i.imgur.com/u7PFH.jpg - this turned up on reddit the other day.

I respectfully disagree. I recently bought an EV certificate from VeriSign and, apart from some paperwork, the only "extended" validation was a two minute phone call from a VeriSign rep. Well worth the EUR 575,- :/

What I mean is the "green bar" or "green text" in the Web browser. I'm no SSL expert (though not a novice either) but I do like seeing that appear when logging into online banking or PayPal. If it didn't come up that way, I'd be immediately suspicious.

I assume they verified that you are in fact a citizen of a first-world country, possibly with an actual company that pays its taxes. That's basically all the trust an average site needs. It's not so much that your website can now be trusted to never do anything nasty, but if it ever does there is someone to hold accountable.

There will of been at minimum checking for address and phone listings for the company (yell or scoot for UK EV's) in addition to the human telephone validation for signer and approver.

Different applications for EV certs will be required to provide certain additional information and all validations must pass CAB guidelines.

We personally use Comodo for our 'cheap' certificates as we get massive buy discounts and GlobalSign for EV as they've have a 2048 bit default root since the start.

EV only really got in the news after Comodo resellers were caught issuing 'validated' certificates with no actual validation whatsoever. (Conveniently, there was a fresh release of IE that displayed EV certs in green.) Any validation process is as weak as the worst issuer, 'extended' or otherwise, and promising to do better validation for more profit doesn't really serve to deter the actual violation that got us here to begin with.

You are assuming that the users will notice the lack of green text for the EV certificate in their browser. It is not an error to use a non-EV certificate, even if the site 'should' have one.

(defining 'should' here is difficult)

This can be read in the process of issuing a wildcard certificate a Trustico: https://www.trustico.co.uk/geodirect/order/step1.php

The server count option tells us how many physical servers you intend to install RapidSSL Wildcard on. A licence will be activated for each physical server installation and you must pay the full product price for each additional server installation. Most customers choose to install RapidSSL Wildcard on 1 physical server only. RapidSSL Wildcard includes 1 server licence free of charge and can be installed an unlimited number of times on each licenced physical server.

Licenced SSL certificates per server? Come on.

I agree it's a scam but are they recognized in mobile phones? I cannot find a cheap one that is good for my android phones at work.

Try https://tracker.oneis.co.uk/ in your phone -- it's got a cheap cert on it.

I use NameCheap's RapidSSL product for $10/yr. The only thing I don't like about it is that when you register, the 'Organization' value you enter gets overwritten with the common name/domain name. This means that when someone reads the certificate details in their browser, they can't find any reference to your actual company name.

We also went with this option, after finding out about it here on HN about a month ago: http://news.ycombinator.com/item?id=1317987

Having the domain name as the certificate "Organization" value is not an issue for us.

+1 NameCheap - $10/yr, automated ordering & no chain file

Check out this thread: http://news.ycombinator.com/item?id=464916

Also, you might want to provide a bit more about the cert you currently have if you want to know why it's not working on other browsers. Finally, you might want to consider asking/browsing on serverfault.com. There are good discussions on the topic of SSL on that site.

I like DigiCert.

One nice thing they do is give you a www alt name for your domain. (e.g. alt name == www.apple.com for domain apple.com). Thawte charges a minimum of $169 for this.

This means that your certificate will be able to be used by www.domain.com and domain.com.

Some certs aren't able to be used for both (https://amazon.com), and the alternative is to buy two certs.

I bought RateMyStudentRental's SSL cert from Godaddy and it was a PITA to setup compared to if you get a trusted root certificate (that does not need to be chained).

After reading this thread [1] I bought LeadNuke's SSL cert from NameCheap (a rebranded RapidSSL certificate). Sure enough it was incredibly easy to setup, and is trusted on all the main browsers.

[1] http://news.ycombinator.com/item?id=1318340

StartCom - their "domain validated" certificates (which other CAs charge for) are free: http://www.startssl.com/

Even better, they don't charge for "products" such as wildcard certificates, but for the service of validation that is required to get them. This means you pay once for the validation (much less than a single wildcard certificate costs elsewhere) and then you can create certificates for all your domains at no additional cost.

Obviously, they are a small CA, which means they are not recognised on some exotic platforms, but I haven't ran into any of those cases myself. Also, they require an intermediate certificate, but that was a no-brainer to setup. I have one up on my personal website, if you want to try if it works for you: https://micheljansen.org

StartCom is great, but 2 caveats: I found that StartCom's root authority is not recognized by some IE6 installs, and is still not recognized by Java (so applets, web start, java clients talking to your server may have problems ...).

The first time a user goes to StartCom on Windows XP on IE6, it will pop up with a "cert error". This is because the user hasn't recently updated their root certs through a super-optional Windows Update install. However, any subsequent loads will work as Windows will check and update their root certificates in the background.

Edit: OK, they seem to work pretty well. This is a nifty idea.

my only problem with them is the somewhat complicated mechanism for authentication with client certs. I could not get it to work with firefox or chrome, just safari.

startssl.com is who I use. I haven't had any issues, then again I'm not particularly worried about exotic platforms, or IE6 support.

We like Gandi, they offer very good customer service.


I use gandi.net. Gandi provides a free SSL certificate (for one year) when you buy/renew a domain from them. It's quite a good deal.


I was thinking about this just today. I want a cert to use with Heroku. I love Dreamhost and I use them for all my static websites, backup storage, git hosting, and domain registration. They provide SSl certs for $15, but I've never bought one and they don't provide a lot of details. They mention that you can use them with other hosts, but not much else.

Anyone have experience with Dreamhost SSL?

I've used them and they work fine. They say they don't provide IIS support (indeed, the format of their certs doesn't work for IIS, but you can use an online convertor to get them into the right format).

I believe they just resell comodo from when I used it last, but you could probably check

You probably forgot to combine the intermediate certs with your domain cert. That said, I use startcom (http://www.startssl.com/). You can get free SSL certs there that work in 99% of browsers. If you pay the identity verification fee (I think about $50), you can get free WILDCARD certificates!

We use a Comodo certificate, but it's been so long since we got it issued, I don't think they even offer it anymore?!?

I would try these sites:

- http://instantssl.com (comodo)

- http://www.sslmatic.com (retailer of various)

That should be a start.

Are SSL certificates internationally recognized? In other words, if I have users coming from both the US as well as a variety of other nations, will SSL certificates be recognized regardless of the user's origin, or is there such a thing as an international SSL certificate?

Yes, though check with your CA for IDN support.

(Disclaimer: I don't know what I'm talking about) You might want to try DigiCert: I researched a few different providers earlier this year, and DigiCert seemed to be cheap and trusted. No direct experience with them, tho.


Fast provisioning and a simple-to-use interface. I've bought many certs from them and am very satisfied.

Note: Used RapidSSL, paid $10.95. Best lunch's worth of money ever spent. Beats GoDaddy, as no cert chains are not required.

maybe something's wrong with how you configured it. Maybe the host name doesn't match?

I just picked up a cert from GoDaddy a couple weeks ago. I don't have any issues with FireFox, Chrome, Safari on OSX, and no problems with IE8 on XP.

Guess I'll have to check the other combinations later.

I would double check the configuration. Maybe something is up with the intermediate certificate?

No, it's godaddy...I have the same problem. Not entirely sure why browsers don't trust godaddy. Perhaps because godaddy is cheap and dirty.

Why would that change between browsers and operating systems?

Because different browsers have different set of root certificates/authorities to authenticate the certificate.

Ah. The host name on the root cert. I was thinking that the host name on the server's certificate was being referenced.

We use thawte.

I've tried using thawte - I placed 3 sales calls and an email. No one ever answered the phone (an 800 number!) and it took three weeks for someone to call me back after the email. No thanks

I've been a customer of theirs for most of the last ten years. They used to be quite good. However, my recent experiences with them have convinced me that I will need to find a new provider when my certificates expire. With Thawte, you'll pay a premium price and receive poor customer service.

Seconded - their support and checkout process all suck hard. What's great about SSL's... they are all scams.. but you get to decide the level for which they screw you.

Yup. Their interface doesn't even support the ability to add licenses to an existing certificate since their software update. Thanks but no thanks, I can save my company a bomb by going elsewhere

I got a free 3 month certificate from Comodo and then I used a promotional offer from RapidSSL for Comodo customers to get a free 1 year cert (in addition to 3 months). Result: free 15 month certificate.

my next HTTPS cert will be from DynaDot since I liked how they run their DNS registrar service (with optional API, yeah!) and generally got a "smart" vibe from them. I've gotten certs from VeriSign and generally found it surprisingly expensive, complex and slow. Fundamentally, a file needs to be generated. Generating that file should be pretty fast on a modern computer, and a commodity service. Yes there's some extra stuff potentially involved. But at it's core it should be a pretty simple and fast and therefore cheap process. IMO.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact