Recommendations for where to get SSL Certificates?

[mouser]

The DonationCoder SSL certificates need to be renewed soon, and I'm looking for affordable recommendations.

In the past we've used StartSSL which I've written about.  Their prices were wonderful, though I found their process painful and confusing.  And worse, I understand that the certificates from StartSSL will start to be marked as untrusted soon for reasons that are slightly beyond my ken.

We have a main website domain, and a couple of side domains (dcmembers.com, etc.), plus a need for a code signing certificate.

Any recommendations would be welcome.

[wraith808]

LetsEncrypt is an option.  I didn't do it because my current server doesn't support the automated way, I wasn't going to do commandline, and I wasn't going to switch servers just for that.  But if your server supports it, or you're not averse to doing it on the command line, take a look.

[mouser]

LetsEncrypt looks awesome.. I may very well try it.
Looks like they don't do code signing certificates so that will have to be handled someplace else regardless.

[mouser]

Edit: I will definitely revisit LetsEncrypt in the near future.  For now I am trying Comodo's InstantSSL and the process seems to be pretty painless and fast thus far.
They will generate 90 day ssl certificates for free so its a great way to test things.

The new SSL certificate is on the DonationCoder https server as we speak.

[wraith808]

What is the URL for InstantSSL?  When I look it up, I get several results...

[Stoic Joker]

Their prices were wonderful, though I found their process painful and confusing.  And worse, I understand that the certificates from StartSSL will start to be marked as untrusted soon for reasons that are slightly beyond my ken.

-mouser (November 28, 2016, 07:54 AM)

Oh crap!

For now I am trying Comodo's InstantSSL and the process seems to be pretty painless and fast thus far. They will generate 90 day ssl certificates for free so its a great way to test things.

-mouser (November 30, 2016, 12:56 AM)

Will they do wildcard certs during the 90 day preview? If StartSSL goes untrusted I'm screwed on several fronts.

Thanks for the heads up.

[mouser]

Will they do wildcard certs during the 90 day preview? If StartSSL goes untrusted I'm screwed on several fronts.

not only won't they do wildcard certs during the 90 day preview, but a wildcard cert is something like $900. 

Don't take my word on the StartSSL untrusted stuff.. The whole ssl cert scene is confusing to me and I'm just operating on the bare scraps of info that i pick up, and i have a very tenuous grasp on the whole process, much like my interactions with the fair sex.

[Jibz]

Have you tried K Software? I was looking at them back when I thought about getting a code signing cert. They are Comodo resellers. Looks like a wildcard cert is $145/y.

http://www.ksoftware.net/ssl_certs.html

Mind you, I have no experience with them, since I ended up not getting one (still too expensive for me).

[mouser]

I had forgotten all about K Software.. They seem like a good place to get certificates.

[Stoic Joker]

Don't take my word on the StartSSL untrusted stuff.. The whole ssl cert scene is confusing to me and I'm just operating on the bare scraps of info that i pick up, and i have a very tenuous grasp on the whole process, much like my interactions with the fair sex.

-mouser (November 30, 2016, 09:19 AM)

Can you point me (link) at where you got that (untrusted) impression...so I can - try to - make an informed decision to panic?

SSL gives me fits too, I suspect mainly because the entire scheme is intentionally designed to be horribly overcomplicated. And any time you try todo anything with it, it's always long strings of cryptic options that invariably lead to 30+ pages of documentation that vaguely elude to explaining it (but don't). It really is pointlessly agonizing to deal with.

[mouser]

Can you point me (link) at where you got that (untrusted) impression.

a search gives a bunch of results.. here's one:
https://www.lowendta...ertificate-authority

[Deozaan]

What is the URL for InstantSSL?  When I look it up, I get several results...

-wraith808 (November 30, 2016, 05:01 AM)

I'm guessing it's http://instantssl.com/

[Stoic Joker]

Can you point me (link) at where you got that (untrusted) impression.

a search gives a bunch of results.. here's one:
https://www.lowendta...ertificate-authority

-mouser (November 30, 2016, 12:03 PM)

Shit ... Well that's reasonably damning.

So... does anyone offer certs for a longer than 1 year period? I really hate playing with SSL so it would - possibly... - be worth the money to not have to futz with it quite so often.

[Shades]

A year is a common period to use for (re-)verification purposes. So I am under the impression that you will be hard-pressed to find deals that last longer. Not all operating systems handle longer lasting certificates equally, can't find the link right now.

For an overview of (free) SSL certificate providers:  https://www.sslshopper.com/article-free-ssl-certificates-from-a-free-certificate-authority.html

Thawte offers 1-year, 2-year and 3-year deals for SSL certificates: https://www.thawte.com/ssl/.

For in-house webservices that are only used by in-house computers, you can deploy your own self-signed certificates (including the CA certificate). Not only cost these nothing, these can also last 10 years. And as you are in control of the CA certificate, you or your users won't be bothered by continuous browser verification requests either. But for this to work, you must be in complete control of all your in-house computer systems. To my understanding, Stoic Joker is (one of) the sysadmins at the company he works for, so that could be somewhat of an option for him.

In my duties as sysadmin I do make use of self-signed certification, mainly to verify if the software I help to create can encrypt/decrypt EDI/XML/JSON type messages transferred by our own services, web services and even Exchange 2007 - 2016 server without any user interaction. And for in-house use, this works well.

Besides HTTP/SSL isn't that safe to begin with: http://www.howtogeek.com/182425/5-serious-problems-with-https-and-ssl-security-on-the-web/ or https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com. If the big names can make such "hiccups" with certification, I suddenly feel less queasy about generating and using my own.

Years ago I saw an infographic somewhere that indicated there aren't more than 5 certificate providers globally. All the companies that offer certificates are either subsidiaries or reselling. Which was a bit unsettling then. I don't think this situation has improved much in this current day and age, though I probably should delve into this again someday.

[wraith808]

Years ago I saw an infographic somewhere that indicated there aren't more than 5 certificate providers globally. All the companies that offer certificates are either subsidiaries or reselling. Which was a bit unsettling then. I don't think this situation has improved much in this current day and age, though I probably should delve into this again someday.

-Shades (December 01, 2016, 07:48 AM)

That's one of the reasons LetsEncrypt was created.  It's an unaffiliated signing agent.

[f0dder]

In this day and age, I would definitely go for LetsEncrypt for HTTPS certificates unless hard pressed to use something else. Self-signed certs aren't really appropriate for a public-facing website, even though they're technically more secure.

Dunno about code signing - aren't the options relatively limited?

[mouser]

I got my code signing certificate at KSoftware as recommended by Jibz above.  Process was fairly painless.

[mouser]

Although the price leaves something to be desired, I have to say I have been impressed with the smoothness of the process of using InstantSSL (comodo).

[Stoic Joker]

Although the price leaves something to be desired, I have to say I have been impressed with the smoothness of the process of using InstantSSL (comodo).

-mouser (February 24, 2017, 09:39 AM)

Same... I ended up going with Comodo for a wildcard cert. Price was a bit of an ouch, but the process was super smooth.