Hacker News new | comments | ask | show | jobs | submit login
Ask HN: What's the best company to buy SSL certificates from?
124 points by cioc on Feb 6, 2012 | hide | past | web | favorite | 70 comments

Get the best SSL cert for the job...

If you just want to secure a login page for your own personal use, get a free cert from StartSSL.

If you need to give access to the page to more people, it's best to get a cheap cert from Comodo, etc. because they're compatible with more mobile devices. Don't spend more than $15

If you intend on selling something from the site, I'd recommend getting some form of company validation on top of the standard domain validation which is performed when buying cheaper certs. GeoTrust, Comodo, Globalsign, etc. can help. It should cost less than $100.

The best certs to get to re-assure your customers are the EV ones. No need to go full Verisign and waste ton of money on them, you can get them cheap-ish from Globalsign, Comodo and Geotrust resellers.

If you're getting a cert generated by an established certificate authority, it doesn't really matter who you buy it from. Aim for the best price for the level of support that you want to get.

Don't feed the SSL cartel

Free SSL cert accepted by all modern browsers https://www.startssl.com/?app=1

They are owned and operated by http://www.startcom.org/

startssl.com is part of the cartel you don't want to feed... Yes, they offer free certificates, but only in order to market their paid certificates.

FWIW, I use free certs from startssl.com myself.

If you really want to avoid the "cartel", use cacert.org or a self signed cert.

I will use cacert as soon as they're part of the standard cert group on all the major browsers :P

StartSSL.com offers free yearly simple SSL certificates, and are supported by all major browsers. If you want higher-grade, you'll have to pay. They're very open about wanting to provide free simple certificates for everyone.

What's the difference between a simple certificate and something higher-grade? What does the simple certificate lack that a higher grade certificate provides?

Extended verification certificates (EV; "actually verified") cause the browser bar to turn green. That will make people more likely to trust you.

studies has shown that people dont know what the green bar actually means: http://en.wikipedia.org/wiki/Extended_Validation_Certificate...

imho a extremely overrated (and overpriced) features, which imposes no extra security what so ever.


You are pointing to a study that was published in 2006. This means the actual data is at least 7 years old.

Can you find a more current example?

Exactly! In fact the change to green out of the ordinary lack of it might make them think something is WRONG, not better.

These are users who also keep their browser sessions going forever and therefore session cookies never expire - thereby making what was supposed to make something more secure, exactly the opposite.

The free one also wont work with wildcard certs, and will only accept one hostname in the subjectAltName field. My domain is "grepular.com", the certificate needs to contain "secure.grepular.com" for historical reasons. This means, when I use startssl, I can't include "www.grepular.com" in the cert. Unless I pay for a cert.

Thanks for clarifying!

Will a free StartSSL certificate trigger an 'untrusted source' warning from the browser?

Also, will a free certificate be adequate for encrypting authentication data in a web API?

StartSSL is completely fine for those goals. Pretty much the only effect of an EV certificate is the green bar. (Which is easily worth $150/yr if you're doing millions in e-commerce, of course!)

By the way, I went ahead and got a free StartSSL certificate. So far it seems to work fine. Thanks again for your feedback.

Excellent - thank you!

should be ok for a web API, but for an e-commerce site, you'll likely want a recognized CA.

That's disingenuous. You should be bundling your CA cert with your cert anyway, which would avoid that problem.

Neither the linked article nor any of the parent comments talk about certificate chaining, which seems to be what you're referring to.

Also, please check the definition of 'disingenuous', it's massively overused on Hacker News (often in a completely incorrect context).

jorangreef said "RE StartSSL..." then pointed to an article about the problems of SSL w.r.t mobile apps. Since this is in reply to a very positive post about StartSSL, the obvious inference is that his linked article provides some evidence on why one wouldn't want to use StartSSL. But that's pure FUD because the only mention of StartSSL in the whole article is that they close their connections so two more TCP connections are required to authenticate the cert... but anyone worth their salt would be bundling in the CA cert anyway, obviating the need for those connections.

I don't know what your beef is with 'disingenuous,' but that's exactly what I meant.

OCSP isn't an optional step involved only if you don't present your CA's intermediary certificate, it's in addition to it. The whole point of it is "I have this guy with these legit looking credentials you issued, do you still stand by them?".

You can't work around that with chaining, it can only be disabled from client code, or by having the CA issue a cert that doesn't include an OCSP address (doubt any do this now, given the number of legit certs issued to attackers in the past 2 years).

Some of those numbers don't look correct at all. For example I can't find any host name that takes longer than ~500ms to do DNS resolution over 3G. (That's almost worst case scenario, where everything except the TLD is uncached.)

Mike Belshe the author of that post is one of the developers of Chrome as far as I know.

We use StartSSL-free on https://secure.fanboy.co.nz .. no issues with it :)

FWIW, Stripe recommends DigiCert: https://stripe.com/help/ssl

> We recommend DigiCert — their certificates have very wide acceptance (for example, Facebook uses a DigiCert certificate). Other options include NameCheap and GoDaddy. They have slightly lower acceptance but their basic certificates cost $10 to $20.

FB's been switching over the VeriSign -- at least, in my neck of the woods. I pay attention to certs, so I noticed this and took some time to somewhat reassure myself that no MITM was going on. (If I'm wrong, someone please tell me!)

I cannot recommend Comodo.

I paid for one of their certificates (through a re-seller) but they refused to issue it on the grounds that they could not verify my phone number. It was true that it was not in the directories they referred to, but they did not make that clear before selling the certificate.

I would have made a chargeback, but was paranoid about them informing other CAs of the fact - it would be a disaster if I was never able to get another SSL certificate.

Side question: what's the best company for SSL certificates where you're hosting multiple distinct domains for various clients on the same server? I've read about SAN certs, but I haven't found any documentation ...

DigiCert claims that you can add/remove alternative names on already purchased certificates right from their account (you don't even need to include them in the CSR just the primary), but I haven't tried it personally. I wonder about what authentication you, as owner of www.foo.com, have to undergo to add e.g. myapp.client.com to the alternate name.

The downside seems that the organization/country/city fields must be the same but that doesn't show unless you use EV The upside is no painful IP acquisition, CSR and renewal process.

As far I know the only thing that works reliably is to get multiple IPs and multiple (wildcard) SSL certificates. You can try to save a little money by getting startssl certificates (free) or by using SSL host headers (multiple SSL on one IP address), but it doesn't work on all browsers so you end up wasting time explaining to your customers why they get an error when they access their site.

What is "SSL host headers"? Is it wildcard certs, as Microsoft describes them on http://www.microsoft.com/technet/prodtechnol/WindowsServer20... ?

I think he meant "Server Name Indication" https://en.wikipedia.org/wiki/Server_Name_Indication

If there is more than one site hosted on a single IP, the client sends a request for the SSL certificate. In the "old" way, the client didn't say to which domain it wants to connect (it only told that after the SSL connection was established), so the server didn't know which certificate to send.

The problem has been solved with SNI, but it isn't universally supported (yet), though we are close (namely IE on XP). With SNI the client basically sends the server to which domain it wants to open a secure connection, so the server can serve the correct certificate.

What do you want to do? Have multiple sites using the same ip address and port share a certificate? Get an SNI certificate, but beware of WinXP.

Also, you might be interested in the trust relationships between the major CAs.

- https://www.eff.org/files/colour_map_of_CAs.pdf

- https://www.eff.org/files/DefconSSLiverse.pdf

I like Gandi. You get a free SSL certificate for a year with your domain, and it's $12 a year after that.

They say you also get a free 1-year certificate with domain name renewals, implying that if you renew your domains for 1 year you can get a perpetual stream of free certs.

The only downside is that Gandi's certificates are not wildcard; i.e. they only apply to your root domain.

Slightly off topic, but how are people using SSL with App Engine? Last time I checked they didn't support SSL on your own domain. I'm not sure if this is similar for e.g. Heroku. I presume most non-trivial apps would have some kind of secure login.

Looks like it went into testing last October [1], otherwise people have been using their appspot subdomains.


I get mine through DNSimple. I'm sure they're a reseller for another company, but $20 a year for a single domain SSL and $100 a year for wildcard.

That's expensive. The same GeoTrust RapidSSL certificate is $9.95/year through Namecheap, for example.

I can imagine the SSL cert sellers laughing at those buying them. How is it that money can BUY TRUST is beyond my comprehension.

Well how can you trust a company you have never dealt with before? It used to be that SSL certificates were a mark of insurance, proof that they had thought about securing your data in transmission, and proof that someone had validated the company as being real (like an auditor should). Nowadays points 1 and 3 are no longer true.

We've used Comodo certs for our projects, given out for free by our provider SSD Nodes (http://www.webhostingtalk.com/showthread.php?t=1122631). I think the certs by themselves are $9-10/year if you decided to get them on your own.

A little off topic, but I'm thinking of using CloudFlare's "Easiest SSL Ever"... Is anyone here using it?


Not yet, but that's my plan :) I'll setup CloudFlare soon, for the "go live" of my new startup this month.

I get ours through our registrar (who also does our sideproject hosting), DreamHost. They have $15/year certificates (via Comodo), and you automatically get both the root and the www. subdomain of the certificate, included in the price.

What's your goal? There are all types of certificates, some cheap and some expensive. If you're aiming for cheap, companies like Namecheap and GoDaddy sell them for peanuts but they're "cheap" certificates, not with bells and whistles.

Is there a chance you could elaborate on this some? What would some example "bells and whistles" be with regards to SSL certs?

Verisign EV certs get the green text along with the name of the company in the browser (ex: https://paypal.com)

More information: http://www.verisign.com/ssl/ssl-information-center/extended-...

All EV certificates provide that feature, not just the ones sold by Verisign. Are you a paid shill of Verisign?

In general, no one should ever do business with Verisign, due to their practice of domain slamming, their Site Finder misfeature, and other shady practices.

Do they still do that? Thanks for pointing that out though, I found this:


through Wikipedia:


"VeriSign was sued in 2002 for their actions in sending ambiguous emails informing people, often incorrectly, that their domain was about to expire and inviting them to click on a link to renew it. Renewing the domain resulted in the registration company being transferred to VeriSign from the previous registrar."

Verisign cannot do that anymore since they no longer operate a registrar (Network Solutions was spun-off/sold-off).

Ok, I didn't know that. What I should investigate is whether the same people that authorized those shady tactics are still in charge there (or whether that culture persists).

GoDaddy is listed among the issuers of EV certificates on Wikipedia, so don't they offer them? :


(I don't know the difference between standard SSL certificates and EV ones)

GoDaddy does look like they offer them:


Mostly, they are the same. There are some "addons" that are possible with SSL certificats. For example wildcard certificats which are valid on all subdomains, included support, encryption strength, browser support and others.

I use http://exoware.net/ They're a small company, but they care and they do a good job so we get along just fine. SSL starts at £15 a year and goes up. £70 per year for a wildcard.

I use cacert.org (free) on my private stuff. Unfortunately they are not included with Mozilla, so leaning towards startssl.com for my public project.

I like https://www.alphassl.com/. It's one hop down the chain from the Global Sign root.

NameCheap has been great for me, for SSL certificates and domains.

startssl.com is free.

Digicert is ballin'. Using them on a few sites.

Comodo with PositiveSSL is bargain for 9$ USD

Ignore anyone in this thread telling you to use StartSSL.

When you care about your cert (validated, EV, etc): DigiCert. When you don't care that much: RapidSSL from Namecheap.

The end.

> Ignore anyone in this thread telling you to use StartSSL.

Why? What's wrong with it?

You might care about your cert. However, your users do not care at all. Most users (not most HN readers!) have no idea what is the difference between certificates.

Do you really think users pause to check what type of SSL certificate the site has? .. And what CA had signed that certificate? They don't -- even when they access their bank.

I had a good experience with StartCom.


I would definitely advice to you startssl.com, they offer free ssl certificates.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact