Digicert is a legitimate provider of SSL certificates (my company uses them pretty much exclusively; I don't think they are any better or worse than other SSL providers that I've used professionally).
One exceptional thing Digicert provides is good practical documentation for generating a certificate signing request and applying a purchased certificate to any web or application server. Makes it really easy for junior admins to get up to speed when they have to apply certs to everything from IIS to Apache, Tomcat JBoss, etc within the same environment.
If all you are using the secondary cert for is to provide a TLS signing token you can get away with just a cert for the domain. You have to play some tricks with DNS and hostnames, if you are spreading services between different machines (and it's hokey to do it that way if you want to be a service provider) but it can be made to work.
I paid $14.99 for a GoDaddy certificate and I was up and going within a few minutes. The certificate creation process was pretty simple. You have to search "SSL Certificate" in Google to get the reduced price, otherwise they charge about $10 more.
Verisign is the only realistic choice if you want your website to work with older mobile browsers and low-end mobile browsers. Many phones from as recently as two years ago only have the Verisign root cert installed in them.
If Verisign is too pricey, and you are willing to lock out older and low-end devices, but not all devices, then GeoTrust QuickSSL is the only alternative. QuickSSL is cheap enough that there isn't any reason to try to find something cheaper.
All other certificates being sold have one or more of the following problems: the root cert is in few devices or only in recent devices, the root cert is present in devices but will expire in the next 2-3 years, the certificate is a chained one which won't work in some devices, the root certificate uses relatively weak crypto (1024-bit key or MD5 signature), or there is some other problem which I cannot remember off the top of my head.
You want to beware of what you're buying, chained certificates are OK if it's for something where you have a small number of users (say site admins) but you will look like an incompetent nitwit if your clients customers are getting browser security errors because they don't have the intermediate certificate installed in their browser.
My recommendation for ease of use and fast turnaround is Geotrust or one of their resellers.
I had a bad experience where a customer trying to save a buck who got one of the $15 dollar startech certs offered by GoDaddy was screaming at me because their customers were getting errors and invalid certificate warnings. It worked fine in the his browser because the first time you visited the issuing website it offered to install the intermediate cert in your browser. It didn't work for J. Random Shopper and the merchant in question didn't find out about this problem until he was helping his sister purchase something from the store.
Thus my antipathy to GoDaddy; they made $15 bucks off that merchant, but I will recommend against them, because it's pretty sleazy to play that kind of game on people.
There are certain corner cases where this doesn't work (one that comes to mind is WPA enterprise certificate negotiation in Windows XP, completely unrelated to HTTPS).
If the requirement for "virtually all browsers" includes esoteric mobile stuff I'd be concerned about intermediate certificate authorities. If you're doing desktop applications/common mobile applications, these providers will have solutions for you.
That's not completely true. Almost all certifiate providers issue chain certificate (even VeriSign) because it is better security practice. You simply need to install the inetermediate certificate on the server and none of the visitors will receive errors.
The problem with godaddy is that they seem to reduce costs very aggressively by automating about 95% of all cases. If you happen to have issues that fall within the remaining 5% you're totally screwed because they simply refuse to help. That's my experience anyway.
Because I've had a pretty bad experience with godaddy when it comes to domain names, that burns them as a supplier in my book, possibly they are 'better' when it comes to certificates but once bitten twice shy.
If anyone needs a cert (including the OP if he hasn't purchased yet) and help setting it up on pretty much any server/device/platform - email me. My address is on my profile.
Mention HN and this thread, and I'll make sure you're looked after ;)
Most of the resellers out there are reselling Comodo certificates. Comodo is probably the leader in terms of number of certificates issued and you can buy direct direct from them to save the middleman. They offer two classes of certificates but both are essentially the same. The difference is the amount of insurance Comodo provides you and the level of authentication you must go through to prove who you say you are.
Comodo's default InstantSSL root is not present in many devices (Nokia Series 40 and Windows Mobile in particular, IIRC). If you file a support ticket they will issue you a certificate chained to a different root. But, that root certificate is going to expire relatively quickly, and it is hit-or-miss whether Comodo will charge you extra for it (since it effectively makes your cert. an EnterpriseSSL cert.).
Comodo is also on the verge of getting its trust taken away from them, due to negligent behavior that was widely reported a month or two ago. If any more negligent behavior is discovered (not unlikely), I think browser makers will be forced to remove Comodo's root, making all their certs worthless. (They are already worthless to me.)
I started my search by looking at the providers that offered certificates accepted by Firefox and Internet Explorer. My next level of filtering was to look at cost and the ability to try the certificate for free during a trial period.
I settled on Comodo (instantssl.com). The evaluation period went perfectly. At the end of the period, I paid (I seem to recall $99) for a one year certificate. They required a couple forms of indentification (driver's license, utility bill) and the process went smoothly. I am using the certificate now at bigtweet.com.
I recently researched this and I thought Digicert looked pretty good. Digicert includes Subject Alternative Name.
Our CEO insisted on VeriSign so that's what we went with - way more expensive and to get both www.example.com and example.com you either have to buy another cert (for example.com) or go through their Sales team's Managed PKI to get a SAN - ridiculous!
I honestly don't think it matters too much. You can get certs from $15-$20, and, while most of them will try to upsell you to a more "secure" version to "give your visitors confidence", 90% of your visitors probably won't know who issued your certificate. As long as it's trusted in MSIE, Firefox, and Opera you'll be fine.
I'm using it and it works. Note that isn't just domains that give you a free SSL certificate, it's just about any product they sell, like Whois Guard. Make sure to add it to your cart at the right stage of the process, though.