Personal experience with various vendors and any gotchas I haven't thought are especially welcome.
I don't know anything about the linked site, so I'm not endorsing their products.
One exceptional thing Digicert provides is good practical documentation for generating a certificate signing request and applying a purchased certificate to any web or application server. Makes it really easy for junior admins to get up to speed when they have to apply certs to everything from IIS to Apache, Tomcat JBoss, etc within the same environment.
We can work around the primary domain not matching because our landing page has no real need for SSL, however, we do very much need iPhone support on the subdomains.
Would you happen to know if Digicert Wildcard SSL certs work on the iPhone? Thanks
I'm personally looking for a wildcard cert to cover my main site, leetcode.net, as well as all of my subdomains (mail.leetcode.net, etc). Is this possible? What cert do I need?
If all you are using the secondary cert for is to provide a TLS signing token you can get away with just a cert for the domain. You have to play some tricks with DNS and hostnames, if you are spreading services between different machines (and it's hokey to do it that way if you want to be a service provider) but it can be made to work.
If Verisign is too pricey, and you are willing to lock out older and low-end devices, but not all devices, then GeoTrust QuickSSL is the only alternative. QuickSSL is cheap enough that there isn't any reason to try to find something cheaper.
All other certificates being sold have one or more of the following problems: the root cert is in few devices or only in recent devices, the root cert is present in devices but will expire in the next 2-3 years, the certificate is a chained one which won't work in some devices, the root certificate uses relatively weak crypto (1024-bit key or MD5 signature), or there is some other problem which I cannot remember off the top of my head.
My recommendation for ease of use and fast turnaround is Geotrust or one of their resellers.
Thus my antipathy to GoDaddy; they made $15 bucks off that merchant, but I will recommend against them, because it's pretty sleazy to play that kind of game on people.
If the requirement for "virtually all browsers" includes esoteric mobile stuff I'd be concerned about intermediate certificate authorities. If you're doing desktop applications/common mobile applications, these providers will have solutions for you.
Considering they are 1/2 the price of instantssl.com, I'd say they're a fine option–especially if you're bootstrapping.
I should also mention that they have the lowest wildcard certificate I can find.
A few of my SaaS apps require this because they're subdomain-based. $200 is still a lot for a wildcard cert, but less than $379
[Disclosure: I work for a CA.]
You can check them both out at:
http://www.instantssl.com/ (the lower end)
http://www.enterprisessl.com/ (the higher end)
Comodo is also on the verge of getting its trust taken away from them, due to negligent behavior that was widely reported a month or two ago. If any more negligent behavior is discovered (not unlikely), I think browser makers will be forced to remove Comodo's root, making all their certs worthless. (They are already worthless to me.)
I settled on Comodo (instantssl.com). The evaluation period went perfectly. At the end of the period, I paid (I seem to recall $99) for a one year certificate. They required a couple forms of indentification (driver's license, utility bill) and the process went smoothly. I am using the certificate now at bigtweet.com.
Our CEO insisted on VeriSign so that's what we went with - way more expensive and to get both www.example.com and example.com you either have to buy another cert (for example.com) or go through their Sales team's Managed PKI to get a SAN - ridiculous!
And running multiple SSL/https domains from a single IP is also possible when using recent enough software (Apache with mod_ssl which has SNI support).
More info about the SNI here - http://en.wikipedia.org/wiki/Server_Name_Indication
Which really sucks because it is an elegant solution to a very real problem.
The also gave me a follow-up phone call to make sure everything went well (there were NOT trying to upsell, it was a genuine help offer).