Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Which SSL certificate
4 points by ikusalic on Jan 4, 2015 | hide | past | web | favorite | 7 comments
I want to secure a single site that redirects from bare domain to 'www' subdomain. I'm assuming I need a SSL certificate with 2 names: example.com and www.example.com.

What CA and specific certificate would you recommend? The site does not deal with any payment or login data. So something cheep that is well supported in browsers would be preferable.




RapidSSL and PositiveSSL should be fine (personal preference is buying through Namecheap) and if you buy the www.example.com cert it will support example.com as well.

You may want to confirm that last bit with wherever you buy the cert--Namecheap does this but I'm not sure if its universal.


I second this. We use PositiveSSL from namecheap for https://curious.io and it works very well. I had no prior experience so I had some help trying to get it up there, but compared to other SSL certificates, it was cheaper and (so I've been told) no different from most of the costlier alternatives, atleast for how we'd be using it.


Thanks. I'd actually prefer to by through Namecheap as well. I saw RapidSSL and PositiveSSL certs, but I thought they are not suitable if I want both w/ and w/o 'www' subdomain.

So if I buy RapidSSL or PositiveSSL through Namecheap for www.example.com, they will automatically come with example.com in SAN?

Also, why do they have "You also need to have a dedicated IP address" in the requirements? Is this used somewhere in the validation process? I'm asking because the website runs on top of AWS S3, so I do not have dedicated IPs.


@ikusalic

> Also, why do they have "You also need to have a dedicated IP address" in the requirements? Is this used somewhere in the validation process? I'm asking because the website runs on top of AWS S3, so I do not have dedicated IPs.

The reason is because in the past browsers did not support name based virtual hosts for SSL and require a dedicated IP to negotiate the initial connection. Wikipedia gives a decent overview on SNI. [1] Amazon CloudFront supports SNI (SSL named virtual hosts) since last March [2]...I don't know if there are costs involved on the AWS side.

According to Qualys, the users of the following clients would not be able to negotiate a connection to your site if you don't have a dedicated IP and use SNI instead:

- Android 2.3.7

- BingBot Dec 2013

- IE 6 / XP

- IE 8 / XP

- Java 6u45

- Yahoo Slurp Jun 2014

Implementation notes for the more popular web servers for posterity or in case you migrate from AWS:

- Apache https://wiki.apache.org/httpd/NameBasedSSLVHosts

- Nginx.org links to https://www.howtoforge.com/how-to-set-up-ssl-vhosts-under-ng...

I know Digital Ocean/Linode/Rackspace also offer some really good resources too aside from the SSL provider docs. I've been extremely pleased with the certs/support Namecheap resells over the past 7 years. And they do include the bare domain in the SAN automatically--it has been included for all certificates I've ever purchased. Hope this helps!

[1] http://en.wikipedia.org/wiki/Server_Name_Indication

[2] http://aws.amazon.com/about-aws/whats-new/2014/03/05/amazon-...


> Also, why do they have "You also need to have a dedicated IP address" in the requirements?

Because a web server that hosts multiple secure websites needs a way to know which of the certificates to use to encrypt a new incoming connection. The way we disambiguate that is to give each website a different IP address. In short, it's about the way SSL works, not anything to do with validation.


Thanks for the explanation. To my understanding, that's only necessary when I actually use the certificate, not as the part of certificate validation. I assumed the validation would happen with me setting some DNS record with particular value they can validate or something similar.


I hadn't noticed that. Typically they only thing they need in terms of a domain when you actually activate the cert is they'll only be willing to send the cert to an email that can be found on a whois record. You should be fine.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: