Hacker News new | past | comments | ask | show | jobs | submit login

The number of certificates issued/inserted on 25th December, which is almost the same as any other day in December, while being a bank holiday in most Western countries, makes me happy: the industry successfully made certificate renewal fully automatic.

For LetsEncrypt, all renewal requests are done with ACME clients, so this is not a surprise.

I'm curious to know which part of DigiCert and Certigo certificates are actually renewed with an ACME request (both support it).




Certigo is ZeroSSL for all intensive purposes (as far as I am concerned) so probably close to all of them were acme clients.

Digicert has been pushing acme for a while now, but it's a bit annoying as you (my company) needed to prepay/have a line of credit for it, or some annoyance that didn't make it as seemless as LE/ZeroSSL.

I think for digicert any of the certs with 89/90 day expiry would be acme renewals with a near 100% certainty.


Off-topic PSA: you probably wanted to write either 'for all intents and purposes' or 'for all intensive porpoises', if you are making a joke.


Oops! I certainly should have!


What's the value prop of Digicert over LE these days?


I don't have a definite reason you (or anybody in particular) should choose Digicert but I can give you a couple of ideas of where technically they might be a good choice and ISRG (Let's Encrypt) are not.

Firstly there may be policy issues and you can pay Digicert to care whereas you can't pay Let's Encrypt to care about your problems. Meta for example pays (paid?) their issuer to obey their private extra requirements on top of the rules for the Web PKI when it comes to names in the famous facebook.com 2LD.

Secondly trust issues. Obviously for a mainstream browser or similar, ISRG are trusted, but maybe you've got a fleet of Multi-function Printers from 2015 across 54 offices and alas none of them trust Let's Encrypt for the TLS servers. Yes, this was a dumb purchase but you don't have a time machine and the people who maintain this fleet keeps telling you the next version will definitely fix it, so meanwhile you're buying Digicert certificates.


Let's Encrypt has chosen not to support IP address in SAN: https://community.letsencrypt.org/t/planned-rfc-8738-support...

This is admittedly a rare use case, but is needed e.g. for setting up a DNS-over-HTTPS server.

ZeroSSL seems to support IPv4 SANs, but fails to validate IPv6 addresses; I tried emailing their support several times about this but they never replied. I finally got a working certificate via GeoCerts (https://www.geocerts.com/), a DigiCert reseller, but doing so required manual validation. For the record, GeoCerts support was fantastic.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: