I got a certificate from GoDaddy, and it only seems to work without throwing user warnings on only a handful of browsers (FF on windows, but not on Linux, not chrome, etc). Shelling
out several hundred bucks for a Verisign certificate seems awfully steep for a shoe string operation. Are there better alternatives?
This is a known issue with GoDaddy certificates, and can be corrected by specifying an intermediate cert. I ran into the same issue at one point in the past and had to Google a bit to fix it.
GoDaddy itself is not a trusted CA on all platforms. It is backed by a trusted CA. To make this work, you have to add a "certificate chain" in your web server and provide the additional certificate linking GoDaddy to that trusted CA.
Read more about the configuration here. Note that you'll have to download one additional certificate, not just the main signed certificate.
http://help.godaddy.com/article/5346
I use godaddy cert's at work and have ran into the same issue. A tip for anyone using nginx. Cat the intermediate cert into your ssl certificate file. It fixes the warnings.
Cheap, no certificate chain, and everything seems to have the roots installed.
It doesn't really matter where you get them from, the whole thing is a bit of a scam anyway. Since your security is as weak as the worst issuer, there's no point in buying a "premium" certificate.
Yeah, I would disagree with this as well - they're supposed to provide more reassurance, but all the studies of user awareness of this - and security UI in general - generally conclude that almost nobody has a clue what these mean or even noticed their existence:
I respectfully disagree. I recently bought an EV certificate from VeriSign and, apart from some paperwork, the only "extended" validation was a two minute phone call from a VeriSign rep. Well worth the EUR 575,- :/
What I mean is the "green bar" or "green text" in the Web browser. I'm no SSL expert (though not a novice either) but I do like seeing that appear when logging into online banking or PayPal. If it didn't come up that way, I'd be immediately suspicious.
I assume they verified that you are in fact a citizen of a first-world country, possibly with an actual company that pays its taxes. That's basically all the trust an average site needs. It's not so much that your website can now be trusted to never do anything nasty, but if it ever does there is someone to hold accountable.
There will of been at minimum checking for address and phone listings for the company (yell or scoot for UK EV's) in addition to the human telephone validation for signer and approver.
Different applications for EV certs will be required to provide certain additional information and all validations must pass CAB guidelines.
We personally use Comodo for our 'cheap' certificates as we get massive buy discounts and GlobalSign for EV as they've have a 2048 bit default root since the start.
EV only really got in the news after Comodo resellers were caught issuing 'validated' certificates with no actual validation whatsoever. (Conveniently, there was a fresh release of IE that displayed EV certs in green.) Any validation process is as weak as the worst issuer, 'extended' or otherwise, and promising to do better validation for more profit doesn't really serve to deter the actual violation that got us here to begin with.
You are assuming that the users will notice the lack of green text for the EV certificate in their browser. It is not an error to use a non-EV certificate, even if the site 'should' have one.
The server count option tells us how many physical servers you intend to install RapidSSL Wildcard on. A licence will be activated for each physical server installation and you must pay the full product price for each additional server installation. Most customers choose to install RapidSSL Wildcard on 1 physical server only. RapidSSL Wildcard includes 1 server licence free of charge and can be installed an unlimited number of times on each licenced physical server.
I use NameCheap's RapidSSL product for $10/yr. The only thing I don't like about it is that when you register, the 'Organization' value you enter gets overwritten with the common name/domain name. This means that when someone reads the certificate details in their browser, they can't find any reference to your actual company name.
Also, you might want to provide a bit more about the cert you currently have if you want to know why it's not working on other browsers. Finally, you might want to consider asking/browsing on serverfault.com. There are good discussions on the topic of SSL on that site.
One nice thing they do is give you a www alt name for your domain. (e.g. alt name == www.apple.com for domain apple.com). Thawte charges a minimum of $169 for this.
This means that your certificate will be able to be used by www.domain.com and domain.com.
Some certs aren't able to be used for both (https://amazon.com), and the alternative is to buy two certs.
I bought RateMyStudentRental's SSL cert from Godaddy and it was a PITA to setup compared to if you get a trusted root certificate (that does not need to be chained).
After reading this thread [1] I bought LeadNuke's SSL cert from NameCheap (a rebranded RapidSSL certificate). Sure enough it was incredibly easy to setup, and is trusted on all the main browsers.
Even better, they don't charge for "products" such as wildcard certificates, but for the service of validation that is required to get them. This means you pay once for the validation (much less than a single wildcard certificate costs elsewhere) and then you can create certificates for all your domains at no additional cost.
Obviously, they are a small CA, which means they are not recognised on some exotic platforms, but I haven't ran into any of those cases myself. Also, they require an intermediate certificate, but that was a no-brainer to setup. I have one up on my personal website, if you want to try if it works for you: https://micheljansen.org
StartCom is great, but 2 caveats: I found that StartCom's root authority is not recognized by some IE6 installs, and is still not recognized by Java (so applets, web start, java clients talking to your server may have problems ...).
The first time a user goes to StartCom on Windows XP on IE6, it will pop up with a "cert error". This is because the user hasn't recently updated their root certs through a super-optional Windows Update install. However, any subsequent loads will work as Windows will check and update their root certificates in the background.
my only problem with them is the somewhat complicated mechanism for authentication with client certs. I could not get it to work with firefox or chrome, just safari.
I was thinking about this just today. I want a cert to use with Heroku. I love Dreamhost and I use them for all my static websites, backup storage, git hosting, and domain registration. They provide SSl certs for $15, but I've never bought one and they don't provide a lot of details. They mention that you can use them with other hosts, but not much else.
I've used them and they work fine. They say they don't provide IIS support (indeed, the format of their certs doesn't work for IIS, but you can use an online convertor to get them into the right format).
I believe they just resell comodo from when I used it last, but you could probably check
You probably forgot to combine the intermediate certs with your domain cert. That said, I use startcom (http://www.startssl.com/). You can get free SSL certs there that work in 99% of browsers. If you pay the identity verification fee (I think about $50), you can get free WILDCARD certificates!
Are SSL certificates internationally recognized? In other words, if I have users coming from both the US as well as a variety of other nations, will SSL certificates be recognized regardless of the user's origin, or is there such a thing as an international SSL certificate?
(Disclaimer: I don't know what I'm talking about) You might want to try DigiCert: I researched a few different providers earlier this year, and DigiCert seemed to be cheap and trusted. No direct experience with them, tho.
I've tried using thawte - I placed 3 sales calls and an email. No one ever answered the phone (an 800 number!) and it took three weeks for someone to call me back after the email. No thanks
I've been a customer of theirs for most of the last ten years. They used to be quite good. However, my recent experiences with them have convinced me that I will need to find a new provider when my certificates expire. With Thawte, you'll pay a premium price and receive poor customer service.
Seconded - their support and checkout process all suck hard. What's great about SSL's... they are all scams.. but you get to decide the level for which they screw you.
Yup. Their interface doesn't even support the ability to add licenses to an existing certificate since their software update. Thanks but no thanks, I can save my company a bomb by going elsewhere
I got a free 3 month certificate from Comodo and then I used a promotional offer from RapidSSL for Comodo customers to get a free 1 year cert (in addition to 3 months). Result: free 15 month certificate.
my next HTTPS cert will be from DynaDot since I liked how they run their DNS registrar service (with optional API, yeah!) and generally got a "smart" vibe from them. I've gotten certs from VeriSign and generally found it surprisingly expensive, complex and slow. Fundamentally, a file needs to be generated. Generating that file should be pretty fast on a modern computer, and a commodity service. Yes there's some extra stuff potentially involved. But at it's core it should be a pretty simple and fast and therefore cheap process. IMO.
GoDaddy itself is not a trusted CA on all platforms. It is backed by a trusted CA. To make this work, you have to add a "certificate chain" in your web server and provide the additional certificate linking GoDaddy to that trusted CA.
Read more about the configuration here. Note that you'll have to download one additional certificate, not just the main signed certificate. http://help.godaddy.com/article/5346
Here is what my ssl.conf looks like in Apache:
That gd_bundle.crt is what you're probably missing. Hope this helps.