Ask HN: where do you get your SSL certificates?

77 pointsby yarekalmost 15 years ago

I got a certificate from GoDaddy, and it only seems to work without throwing user warnings on only a handful of browsers (FF on windows, but not on Linux, not chrome, etc). Shelling out several hundred bucks for a Verisign certificate seems awfully steep for a shoe string operation. Are there better alternatives?

20 comments

d_ralmost 15 years ago

This is a known issue with GoDaddy certificates, and can be corrected by specifying an intermediate cert. I ran into the same issue at one point in the past and had to Google a bit to fix it.GoDaddy itself is not a trusted CA on all platforms. It is backed by a trusted CA. To make this work, you have to add a "certificate chain" in your web server and provide the additional certificate linking GoDaddy to that trusted CA.Read more about the configuration here. Note that you'll have to download one additional certificate, not just the main signed certificate. <a href="http://help.godaddy.com/article/5346" rel="nofollow">http://help.godaddy.com/article/5346</a>Here is what my ssl.conf looks like in Apache:<pre><code> SSLCertificateFile /etc/httpd/foo.crt SSLCertificateKeyFile /etc/httpd/foo.key SSLCertificateChainFile /etc/httpd/gd_bundle.crt </code></pre> That gd_bundle.crt is what you're probably missing. Hope this helps.

评论 #1432059 未加载

评论 #1432025 未加载

bensummersalmost 15 years ago

<a href="http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-ssl-certificate.php" rel="nofollow">http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-s...</a>Cheap, no certificate chain, and everything seems to have the roots installed.It doesn't really matter where you get them from, the whole thing is a bit of a scam anyway. Since your security is as weak as the worst issuer, there's no point in buying a "premium" certificate.

评论 #1432083 未加载

评论 #1432374 未加载

评论 #1432054 未加载

noiblalmost 15 years ago

I use NameCheap's RapidSSL product for $10/yr. The only thing I don't like about it is that when you register, the 'Organization' value you enter gets overwritten with the common name/domain name. This means that when someone reads the certificate details in their browser, they can't find any reference to your actual company name.

评论 #1432731 未加载

评论 #1432994 未加载

nopalalmost 15 years ago

I like DigiCert.One nice thing they do is give you a www alt name for your domain. (e.g. alt name == www.apple.com for domain apple.com). Thawte charges a minimum of $169 for this.This means that your certificate will be able to be used by www.domain.com and domain.com.Some certs aren't able to be used for both (<a href="https://amazon.com" rel="nofollow">https://amazon.com</a>), and the alternative is to buy two certs.

andymoealmost 15 years ago

Check out this thread: <a href="http://news.ycombinator.com/item?id=464916" rel="nofollow">http://news.ycombinator.com/item?id=464916</a>Also, you might want to provide a bit more about the cert you currently have if you want to know why it's not working on other browsers. Finally, you might want to consider asking/browsing on serverfault.com. There are good discussions on the topic of SSL on that site.

JangoStevealmost 15 years ago

I bought RateMyStudentRental's SSL cert from Godaddy and it was a PITA to setup compared to if you get a trusted root certificate (that does not need to be chained).After reading this thread [1] I bought LeadNuke's SSL cert from NameCheap (a rebranded RapidSSL certificate). Sure enough it was incredibly easy to setup, and is trusted on all the main browsers.[1] <a href="http://news.ycombinator.com/item?id=1318340" rel="nofollow">http://news.ycombinator.com/item?id=1318340</a>

sernalmost 15 years ago

StartCom - their "domain validated" certificates (which other CAs charge for) are free: <a href="http://www.startssl.com/" rel="nofollow">http://www.startssl.com/</a>

评论 #1432064 未加载

评论 #1432019 未加载

评论 #1432111 未加载

评论 #1432529 未加载

评论 #1432557 未加载

shin_laoalmost 15 years ago

We like Gandi, they offer very good customer service.<a href="http://en.gandi.net/ssl" rel="nofollow">http://en.gandi.net/ssl</a>

david_palmost 15 years ago

I use gandi.net. Gandi provides a free SSL certificate (for one year) when you buy/renew a domain from them. It's quite a good deal.<a href="http://en.gandi.net/ssl" rel="nofollow">http://en.gandi.net/ssl</a>

evandavidalmost 15 years ago

I was thinking about this just today. I want a cert to use with Heroku. I love Dreamhost and I use them for all my static websites, backup storage, git hosting, and domain registration. They provide SSl certs for $15, but I've never bought one and they don't provide a lot of details. They mention that you can use them with other hosts, but not much else.Anyone have experience with Dreamhost SSL?

评论 #1432056 未加载

Judsonalmost 15 years ago

We use a Comodo certificate, but it's been so long since we got it issued, I don't think they even offer it anymore?!?I would try these sites:- <a href="http://instantssl.com" rel="nofollow">http://instantssl.com</a> (comodo)- <a href="http://www.sslmatic.com" rel="nofollow">http://www.sslmatic.com</a> (retailer of various)That should be a start.

oomkilleralmost 15 years ago

You probably forgot to combine the intermediate certs with your domain cert. That said, I use startcom (<a href="http://www.startssl.com/" rel="nofollow">http://www.startssl.com/</a>). You can get free SSL certs there that work in 99% of browsers. If you pay the identity verification fee (I think about $50), you can get free WILDCARD certificates!

uptownalmost 15 years ago

Are SSL certificates internationally recognized? In other words, if I have users coming from both the US as well as a variety of other nations, will SSL certificates be recognized regardless of the user's origin, or is there such a thing as an international SSL certificate?

评论 #1434296 未加载

resdirectoralmost 15 years ago

(Disclaimer: I don't know what I'm talking about) You might want to try DigiCert: I researched a few different providers earlier this year, and DigiCert seemed to be cheap and trusted. No direct experience with them, tho.

mkramlichalmost 15 years ago

my next HTTPS cert will be from DynaDot since I liked how they run their DNS registrar service (with optional API, yeah!) and generally got a "smart" vibe from them. I've gotten certs from VeriSign and generally found it surprisingly expensive, complex and slow. Fundamentally, a file needs to be generated. Generating that file should be pretty fast on a modern computer, and a commodity service. Yes there's some extra stuff potentially involved. But at it's core it should be a pretty simple and fast and therefore cheap process. IMO.

fookyongalmost 15 years ago

<a href="https://www.geocerts.com" rel="nofollow">https://www.geocerts.com</a>Fast provisioning and a simple-to-use interface. I've bought many certs from them and am very satisfied.

yarekalmost 15 years ago

Note: Used RapidSSL, paid $10.95. Best lunch's worth of money ever spent. Beats GoDaddy, as no cert chains are not required.

stretchwithmealmost 15 years ago

maybe something's wrong with how you configured it. Maybe the host name doesn't match?

评论 #1432035 未加载

评论 #1432003 未加载

评论 #1431991 未加载

svnvalmost 15 years ago

We use thawte.

评论 #1432443 未加载

bhigginsalmost 15 years ago

I got a free 3 month certificate from Comodo and then I used a promotional offer from RapidSSL for Comodo customers to get a free 1 year cert (in addition to 3 months). Result: free 15 month certificate.