Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Where should I buy an SSL certificate for my site?
45 points by shimon on Feb 3, 2009 | hide | past | web | favorite | 52 comments
I need some help navigating the SSL cert oligopoly. What vendor has a reasonable price while delivering a no-scary-messages experience in virtually all browsers?

Personal experience with various vendors and any gotchas I haven't thought are especially welcome.

FYI, if you buy a wildcard cert covering .example.com, example.com itself does not match -- only subdomains do.

This is true, and it makes hosting www.example.com and example.com on the same IP somewhat difficult. Certain newer browsers understand the Subject Alternative Name format. Here's a link about it: http://www.digicert.com/subject-alternative-name.htm

I don't know anything about the linked site, so I'm not endorsing their products.

Digicert is a legitimate provider of SSL certificates (my company uses them pretty much exclusively; I don't think they are any better or worse than other SSL providers that I've used professionally).

One exceptional thing Digicert provides is good practical documentation for generating a certificate signing request and applying a purchased certificate to any web or application server. Makes it really easy for junior admins to get up to speed when they have to apply certs to everything from IIS to Apache, Tomcat JBoss, etc within the same environment.

Actively considering using Digicert here so your info is appreciated.

We can work around the primary domain not matching because our landing page has no real need for SSL, however, we do very much need iPhone support on the subdomains.

Would you happen to know if Digicert Wildcard SSL certs work on the iPhone? Thanks

The DigiCert Wildcard cert does work on the iPhone.

Great, thanks.

Just redirect. When people are typing in a URL manually and by habit add an unnecessary www., they're probably not typing https. I have www.ourdoings.com redirect to ourdoings.com for example.

Is there any site that covers the topics of wildcard certs in more detail, such as what different wildcards do/don't allow you to do, etc?

I'm personally looking for a wildcard cert to cover my main site, leetcode.net, as well as all of my subdomains (mail.leetcode.net, etc). Is this possible? What cert do I need?

You need two certs:

1. CN=example.com

2. CN=*.example.com

If all you are using the secondary cert for is to provide a TLS signing token you can get away with just a cert for the domain. You have to play some tricks with DNS and hostnames, if you are spreading services between different machines (and it's hokey to do it that way if you want to be a service provider) but it can be made to work.

I paid $14.99 for a GoDaddy certificate and I was up and going within a few minutes. The certificate creation process was pretty simple. You have to search "SSL Certificate" in Google to get the reduced price, otherwise they charge about $10 more.

Note that new domain registrations at Namecheap currently include a free SSL cert (1st free), and you can use them for arbitrary hostnames. Roughly same distribution of the parent cert in browsers.

I've used namecheap to set up a cert for my site. It's the only one I've set up so far so I can't compare them to other vendors but I had no problems and would happily use them again.

I had no end of troubles with godaddy (unrelated to certs). I would never do business with them again.

Verisign and move on, or use your hosting firm if they provide the service. This isn't a question worth your time, really.

Verisign is the only realistic choice if you want your website to work with older mobile browsers and low-end mobile browsers. Many phones from as recently as two years ago only have the Verisign root cert installed in them.

If Verisign is too pricey, and you are willing to lock out older and low-end devices, but not all devices, then GeoTrust QuickSSL is the only alternative. QuickSSL is cheap enough that there isn't any reason to try to find something cheaper.

All other certificates being sold have one or more of the following problems: the root cert is in few devices or only in recent devices, the root cert is present in devices but will expire in the next 2-3 years, the certificate is a chained one which won't work in some devices, the root certificate uses relatively weak crypto (1024-bit key or MD5 signature), or there is some other problem which I cannot remember off the top of my head.

GoDaddy is pretty cheap and I don't see why you shouldn't use them.

You want to beware of what you're buying, chained certificates are OK if it's for something where you have a small number of users (say site admins) but you will look like an incompetent nitwit if your clients customers are getting browser security errors because they don't have the intermediate certificate installed in their browser.

My recommendation for ease of use and fast turnaround is Geotrust or one of their resellers.

I think the ones from GoDaddy work fine in most browsers. Or no?

I had a bad experience where a customer trying to save a buck who got one of the $15 dollar startech certs offered by GoDaddy was screaming at me because their customers were getting errors and invalid certificate warnings. It worked fine in the his browser because the first time you visited the issuing website it offered to install the intermediate cert in your browser. It didn't work for J. Random Shopper and the merchant in question didn't find out about this problem until he was helping his sister purchase something from the store.

Thus my antipathy to GoDaddy; they made $15 bucks off that merchant, but I will recommend against them, because it's pretty sleazy to play that kind of game on people.

Actually, firefox 3 on xp is missing a godaddy cert line. Just install the certificate chain/bundle instead of the lone certificate and you'll be ok.

There are certain corner cases where this doesn't work (one that comes to mind is WPA enterprise certificate negotiation in Windows XP, completely unrelated to HTTPS).

If the requirement for "virtually all browsers" includes esoteric mobile stuff I'd be concerned about intermediate certificate authorities. If you're doing desktop applications/common mobile applications, these providers will have solutions for you.

That's not completely true. Almost all certifiate providers issue chain certificate (even VeriSign) because it is better security practice. You simply need to install the inetermediate certificate on the server and none of the visitors will receive errors.

I wouldn't touch godaddy with a stolen computer to paraphrase the late George Carlin.

I've used GoDaddy SSL certs without any problem.

Considering they are 1/2 the price of instantssl.com, I'd say they're a fine option–especially if you're bootstrapping.

We've had great success with GoDaddy SSL too. Just because they have a terrible sign up process and UI doesn't mean that their products are terrible.

The problem with godaddy is that they seem to reduce costs very aggressively by automating about 95% of all cases. If you happen to have issues that fall within the remaining 5% you're totally screwed because they simply refuse to help. That's my experience anyway.


I should also mention that they have the lowest wildcard certificate I can find.

A few of my SaaS apps require this because they're subdomain-based. $200 is still a lot for a wildcard cert, but less than $379

why is that?

Because I've had a pretty bad experience with godaddy when it comes to domain names, that burns them as a supplier in my book, possibly they are 'better' when it comes to certificates but once bitten twice shy.

If anyone needs a cert (including the OP if he hasn't purchased yet) and help setting it up on pretty much any server/device/platform - email me. My address is on my profile. Mention HN and this thread, and I'll make sure you're looked after ;)

[Disclosure: I work for a CA.]

Most of the resellers out there are reselling Comodo certificates. Comodo is probably the leader in terms of number of certificates issued and you can buy direct direct from them to save the middleman. They offer two classes of certificates but both are essentially the same. The difference is the amount of insurance Comodo provides you and the level of authentication you must go through to prove who you say you are.

You can check them both out at: http://www.instantssl.com/ (the lower end) http://www.enterprisessl.com/ (the higher end)

Comodo's default InstantSSL root is not present in many devices (Nokia Series 40 and Windows Mobile in particular, IIRC). If you file a support ticket they will issue you a certificate chained to a different root. But, that root certificate is going to expire relatively quickly, and it is hit-or-miss whether Comodo will charge you extra for it (since it effectively makes your cert. an EnterpriseSSL cert.).

Comodo is also on the verge of getting its trust taken away from them, due to negligent behavior that was widely reported a month or two ago. If any more negligent behavior is discovered (not unlikely), I think browser makers will be forced to remove Comodo's root, making all their certs worthless. (They are already worthless to me.)

Here's an article about said negligent behavior: https://blog.startcom.org/?p=145

we used thawte, but wish we used verisign because they have a cooler 'secured by' icon ;p


You can find reviews and ratings of SSL vendors at http://www.sslshopper.com/certificate-authority-reviews.html

I started my search by looking at the providers that offered certificates accepted by Firefox and Internet Explorer. My next level of filtering was to look at cost and the ability to try the certificate for free during a trial period.

I settled on Comodo (instantssl.com). The evaluation period went perfectly. At the end of the period, I paid (I seem to recall $99) for a one year certificate. They required a couple forms of indentification (driver's license, utility bill) and the process went smoothly. I am using the certificate now at bigtweet.com.

I recently researched this and I thought Digicert looked pretty good. Digicert includes Subject Alternative Name.

Our CEO insisted on VeriSign so that's what we went with - way more expensive and to get both www.example.com and example.com you either have to buy another cert (for example.com) or go through their Sales team's Managed PKI to get a SAN - ridiculous!


cacert.org - And it is free :)

And running multiple SSL/https domains from a single IP is also possible when using recent enough software (Apache with mod_ssl which has SNI support). More info about the SNI here - http://en.wikipedia.org/wiki/Server_Name_Indication

SNI is not supported by IE6 or earlier, and probably not feasible if you're trying to reach older mobile browsers (or even current ones, iPhone does not support it).

Which really sucks because it is an elegant solution to a very real problem.

I honestly don't think it matters too much. You can get certs from $15-$20, and, while most of them will try to upsell you to a more "secure" version to "give your visitors confidence", 90% of your visitors probably won't know who issued your certificate. As long as it's trusted in MSIE, Firefox, and Opera you'll be fine.

I recently bought a domain from namecheap and got a 1 year SSL free. Havent tried it out though.

I'm using it and it works. Note that isn't just domains that give you a free SSL certificate, it's just about any product they sell, like Whois Guard. Make sure to add it to your cart at the right stage of the process, though.

What about thawte?

I'm using thawte and am very pleased with it. Compatibility was great in my tests - it covered all mobile devices (Windows Mobile at the time) and desktop browsers I cared about.

The also gave me a follow-up phone call to make sure everything went well (there were NOT trying to upsell, it was a genuine help offer).

Anyone here have experience with StartCom? http://cert.startcom.org/

Network Solutions Pro certificate was easy to setup, offers good value at $139/year.

I'll second this. Verisign is a racket. Network Solutions is still a reputable company and provides the cert at a good price.

I found trustico to be the cheapest so far. Their service is decent too.

I went with a comodo SSL through NameCheap.com - works great.

I'd have a hard time trusting Comodo. It's been recently shown that they will issue a certificate for any website to anyone at all, without verification: https://blog.startcom.org/?p=145

I can also recommend comodo, fast approval and great customer service!


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact