Cheap SSL Certificates for Small Websites?

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

although this sounds like an advertisment...

[r00tarded]

a bunch of excellent geeks I know use entrust.

Re:although this sounds like an advertisment...

[dildatron]

I just checked them out. Decent prices. Their prices are here for those who are interested.

Re:although this sounds like an advertisment...

[quacking+duck]

I used to work there, and there's a fairly good reason international prices are much higher.

Entrust is a company headquartered in the US but with the bulk of the workforce in the US. When applying for an SSL certificate, there's a very stringent set of rules set out by both US and Canadian governments that they have to follow in order to verify that the person requesting the certificate in fact represents the organization he/she claims to, and that the request for a certificate was authorized.

Verification requires three independent contacts within the requesting organization. These can be managers, sysadmins, billing, etc. All three need to be contacted.

Calling these contacts up can get expensive when you handle a lot of international orders. International information like addresses can also be difficult to verify halfway around the world, too, adding more costs. This is partly why Canadian prices scale up with the US exchange rate, but international ones are so much higher.

The OTHER reason it's a bit higher is that Entrust doesn't WANT to have to handle international verifications, preferring to pass that on to their affiliates located around the world. This way, customers place the order through the affiliated site (at a price that's supposed to be a fair bit lower than the international pricing Entrust itself offers), the affiliate handles the verification themselves. Since affiliates are located in the same geographic area as their customers, they're better qualified to judge whether the info is correct or not. Once the affiliate has verified the information Entrust issues the certificate.

So if you're not based in the US or Canada, check the list of affiliates to see if there's an affiliate in your country that offers lower "international" pricing. Don't mean to sound like a sales agent, but that's why affiliates are there.

Thawte

[JM]

They charge $199 for certificate, and have a pretty good service. I've been using them for years.

Re:Thawte

[the+eric+conspiracy]

Thawte IS Verisign - bought out a couple of years ago.

Re:Thawte

[Software]

I agree that Thawte is as good as Verisign. But they are a subsidiary of Verisign, so that's not too much of a surprise. They seem to operate pretty independently.

What is surprising is that their prices are cheaper than the parent company's. I like their SPKI program, which allows you to get 5 certificates for $500.

Re:Thawte

[letxa2000]

No kidding. I was expecting no paperwork to be necessary on renewal. In my dreams. They asked for an entirely different sent of annoying paperwork when I tried to renew, and had raised the price by about $40.

That pissed me off and got me shopping. Within 3 days I had my certs issued by InstantSSL. $49/year, no fuss.

GeoTrust.com rocks, and is cheap!

[CrudPuppy]

we use them for all of our commercial sites.

Might want to check.......

[tiwason]

The stories /. has already had on the topic....

Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM
http://ask.slashdot.org/article.pl?sid=0 1/03/18/18 55230&mode=thread&tid=93

Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM
http://ask.slashdot.org/article.pl?sid=0 1/09/06/04 51218&mode=thread&tid=148

Certificate Services on Windows 2000

You can use it to create certs, and you can even add your organization to the browsers trusted organizations so the users don't get an error message.

QuickSSL

Rackshack.net has a link to a $49 QuickSSL certificate. I haven't used them, but it sounds like a good deal.

Re:QuickSSL

RackShack (an EV1 Company) has their Certs done by Geotrust

Re:QuickSSL

[Gravital.net]

I use the QuickSSL cert through rackshack for my cert. I know it IE4 doesn't like it (it gives a warning), but IE5+ and Mozilla have no problem with it. You can't beat it for $49/year

DirectNIC.com does SSL certs for $99/yr

Title says it all

Re:DirectNIC.com does SSL certs for $99/yr

[suicidal]

Actually, it's $118 annually.

$99 is the one-time gateway fee for setting up a merchant account.

Still, not bad.

No Real Options, Sorry

[sabat]

There aren't really many options, because the browser has to recognize the signer, and the major browsers only recognize Verisign (and Thawte, which is also Verisign).

RSA is the company that started Verisign, so you can guarantee they'll not be of help.

If this is a situation with a limited client base, like a company, you can self-sign and send everyone your CA certificate and have them all import it into their browsers (all browsers support this, I believe). But what a pain.

I wish the news was better, but you're right -- it's a scam. The problem isn't technical; it's political.

Re:No Real Options, Sorry

[stefanlasiewski]

Verisign bought Thawte about 2 years ago.

As I understand it, Thawte mostly deals with customers outside of the US (which has been their domain for years). Verisign mostly deals with customers inside the US and Canada.

I they they are mostly two distinct entities, with 2 different sets of managers (A few managers probably work both sides of the fence). The profits from both entities drop in the same bucket.

Thawte's support used to be much, much better then Verisign's support. Let's hope they spread the Thawte philosophy among the Verisignites...

Re:No Real Options, Sorry

[1984]

This is somewhat misleading. I bought a cert for a smal personal Web server from Comodo, since it was cheap (about $60). It works fine with (i.e. is trusted by) all 4.7x Netscape and above, all IE 5 and above.

The only point of buying one, after all, being that visitors aren't subjected to confusing warnings about certificates.

Besides that one certificate I haven't dealt with Comodo so won't recommend at random -- but they supplied the certificate quickly, cheaply enough, and it works.

Re:No Real Options, Sorry

[Slycee]

and the major browsers only recognize Verisign (and Thawte, which is also Verisign).

That depends on what you mean by "major browser." Take a look at the list of authorities that Mozilla recognizes, for instance (in prefs > privacy and security > Certificates). It's quite a large list.

Re:No Real Options, Sorry

[lylonius]

Actually, you are mistaken.

Today's browsers (even the first SSL enabled browser, Netscape 2.0) recognized _dozens_ of certificate authorities. Besides Verisign and Thawte, there are RSA, Entrust, and others.

You are also mistaken that RSA started Verisign; RSA Security was the company that licensed the RSA public-key algorithm. They actually compete directly with Verisign as a CA.

To see for yourself:
(Netscape|Mozilla): Edit->Preferences->Privacy->Certificates
IE: Tools->Options->Content->Certificates

Re:No Real Options, Sorry

[God!+Awful]

You are also mistaken that RSA started Verisign; RSA Security was the company that licensed the RSA public-key algorithm. They actually compete directly with Verisign as a CA.

Check your facts before you post. RSA was in fact spun out of Verisign. Just because they compete now doesn't mean that they weren't ever affiliated.

-a

Re:No Real Options, Sorry

[Kragg]

Fool. that very article says that VeriSign was spun out of RSA.

Comodo - $49

[wooft]

Comodo

You can even get a free 30-day trial cert.

Re:Comodo - $49

[wooft]

I've tested the trial cert. in Netscape 4, Opera 5, MSIE 5, and mozilla. They've all worked just fine. It is currently installed on a live website, 28,000 hits, 4 days, no complaints. Now, they have changed their intermediate recently, things probably changed since your experience.

No limitations on the free cert. No strings attached. It does expire after 30 days, though.

There really is no reason a CA must charge hundreds of dollars for these things. Up until recently it has been monopoly pricing (Verisign *spit*)

Cheapass trusted SSL certs

[pablos]

You can purchase a ridiculously cheap ($50) 128bit SSL cert, trusted by browsers from http://www.geotrust.com

All you need a valid credit card to get a
cert. The CA key is loaded in almost all of the browsers, the notable exception being Opera.

They do send a 'auth check' by emailing the domain admin contact you can select.

The entire ordering process (including filling out forms) takes less than about 5 or ten minutes.

This should SCARE you if you're relying on the security provided by Veri$ign and the root that ship with browsers. - pablos.

Re:Cheapass trusted SSL certs

[letxa2000]

Most (normal) people don't even know that businesses with secure pages have supposedly been "verified." Thus it really doesn't matter who you purchase the certificate from as long as it doesn't pop-up a browser warning. No-one is going to do business with a site they don't trust. It's not like you go to a site, and say, "Wow, these guys look real shady. But heck, they have a Verisign cert, ok, no problem." That doesn't happen.

Building trust is an issue between the website and their potential customer. If the customer trusts the site, they're going to buy regardless of who signed the cert. If they don't trust the site, they're not going to buy regardless of who signed the cert.

Verisign and Thawte are, for obvious reasons, trying to promote the idea that their certificates cost more because users somehow trust their verification process more. That is BS. No-one cares because each individual person decides whether or not to trust the website in question.

In reality, all people want out of SSL is encryption. The decision to trust the business in question is always going to be the customer's and that decision will not be influenced by who signed the cert.

Free root cert project

[kylegordon]

You may find what you're after over at http://www.cacert.com The creator of this website believes that trusting someone should be free, and is doing his best to make this happen.

Easy one

[shurdeek]

There is a nice page, http://www.whichssl.com. Through the comparison tables there I found comodo's http://www.instantssl.com. I generated a demo certificate first and after I had no problems with it, I bought it. For $49 a 128 bit, not 40. Recommended.

InstantSSL

[aldjiblah]

Just switched from Thawte (adding $100 each year for your certificate services is NOT a good way to hold on to your customers, Thawte!) to InstantSSL.

At $49 a piece for standard certificates they're the cheapest my company could find when we went looking last month. So far I have no problems recommending them.

Re:InstantSSL

[Snap+E+Tom]

I'll vouch for InstantSSL/Comodo. I'm using it on a local non-profit site. $49/year gets you a 128 bit certificate. They've got a 30 day trial program, and their support staff was very helpful when we had a problem.

Everything you need to be a certifying authority

[Chuck+Chunder]

comes with openssl. It even has a nice perl script to make it easy.
What Verisign and co have that you don't is their root certificates installed with the browsers by default. For internal use you should have no problem using your own certificates. For external use, where an existing business relationship exists (ie you aren't selling to the public, but to people who can trust your cert because they know who you are) it should take little more than a quick explanation.

It's not as much of a scam as you think.

[antis0c]

Sure we all hate VeriSign for all kinds of reasons.

However when you get an SSL Certificate from VeriSign and some of the other Cert signers out there, you are getting two things.

The most commonly understood thing you are getting is the encryption thats automatically accepted by just about any modern browser. However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). This way you know when you're going to https://secure.yourdomain.com to enter your credit card information, that you are indeed still on yourdomain.com and that your information is encrypted, and verified to be sent to the company you intend to send it to.

So if all you are concerned about is encryption, just generate your own. It will however throw a warning in just about any browser that the identity of the site can't be verified. Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.

I understand though, that browser warning annoys me too.

Re:It's not as much of a scam as you think.

[antis0c]

I agree. Thats why I said "VeriSign is suppose to" and not "VeriSign does". Obviously they don't, remember the whole fiasco with them giving out a cert to someone posing as Microsoft? I'm just saying, thats the idea. I don't agree with it. :)

Re:Self-sign

[Anemophilous+Coward]

There is a way to do this with ASP scripting. A good base to start with can be found at this Microsoft Knowledge base article.

It is a starting point I used to make the root certificate stick. It will present the user with a large-ish alert box asking them if they want to install the certificate. It will only do this once as long as they click 'yes'. Subsequent visits to your site will be automatic from then on out.

This is course is great for internal sites, you can educate your users to click on the box the first time, then they never have to worry again. And they know it's trusted since it came from you. One small caveat, this probably only works on IIS servers and only works in IE web browsers.

- "A non-productive mind is with absolutely zero balance."
- AC

Create own CA, don't just self-sign

[coyote-san]

You're going at the problem wrong. Don't worry about getting your clients to accept a self-signed cert, worry about getting them to add your own root certificate to those they trust.

This is actually straightforward - you point them to a URL that returns the root cert, with MIME type application/x-x509-ca-cert, and tell them to accept it for all uses when the broswer pops up a dialog box.

You should then use this root cert to sign your web server certs (and certs for mail servers, databases, whatever). All should be trusted immediately, assuming you have your other ducks in a row. (E.g., you need to have your web server cert's common name resolve to the IP address of the web server.)

It's a bit more work to maintain a mini-CA than to just use self-signed certs, but overall the benefits outweigh the hassles. Many of us are working on JSP tools to operate mid-range CAs, but I don't know how far most are. (The problem is Microsoft's eternally changing standards on how clients generate the cert request on their side - I can handle Netscape/Mozilla with ease, but it seems like every version of MSIE is just slightly different.)

Re:Create own CA, don't just self-sign

[paco+verde]

The parent post is exactly how we do it in our organization (a non-profit with not a lot of money for certs, but lots of things we want to run over SSL). Once someone trusts your root cert you're good to go.

I mostly figured out how to set it up from the Apache mod-ssl module FAQ at http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29. BTW, mod-ssl comes with a nice little signing script that is quite handy.

Once I got the hang of it with Apache sites I used the technique in the FAQ almost verbatim to produce certs for our IMAP and SMTP servers.

You might also check out http://www.openca.org/. I'm not using it, but if I was starting over I would be looking into it.

Just exploit the IE SSL bug

[giminy]

Have your company buy a key, then create signed keys for your domain private domain with it as the issuing key. Nobody will know, as most people still use IE, and it still has that fun bug.

Re:Just exploit the IE SSL bug

[jareds]

Who sells key pairs...

Verisign.

...and how do you make the certificate show that it was verified with the intention of accting as a CA?

You don't make the certificate show that, but IE doesn't check correctly. That's the point.

I have a horrible feeling this is a +5 troll... anyone got a link to prove me wrong?

Yes, this explains in more detail.

That's interesting

[petard]

WhichSSL is nothing but an ad for Comodo:

Registrant:
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: WHICHSSL.COM
Created on: 25-JUN-02
Expires on: 25-JUN-04
Last Updated on: 25-JUN-02

Administrative Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Technical Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Domain servers in listed order:
DNS01.EXODUS.NET
DNS02.EXODUS.NET
DNS03.EXODUS.NET

Google is your friend.

[Eric+Seppanen]

CA links
CA links

Is it any good if most browsers reject it?

[HotNeedleOfInquiry]

I couldn't find rackshack listed in any of the "approved" signing sources for mozzila or netscape.

Re:Is it any good if most browsers reject it?

[enrico_suave]

quickssl bought out and uses equifaxes (if i recall correctly) cert company/business.. and uses that authority which most browsers going back to at least 3x or earlier (for ie and netscape) that are recognized without popup/error/warnings.

FWIW I've used this cert before for a site.. it was quick, easy , and cheap...

e.

If your the IT Department

[mystik]

... and can manage an installation of certificates on all clients, you can create your own certificate authority all by your self.

Here are some *SIMPLE* instructions for building a self-signed CA cert, and then signing SSL certs for servers. Any real implentation should probably be assessed for security (like ca-generation on an isolated machine, etc ...)

• openssl req -newkey rsa:2048 -keyout ca.key -out ca.req - Answer all questions it asks
• openssl x509 -signkey ca.key -req -out ca.crt -in ca.req -days 1200 - Self- signs the CA certificate
• openssl x509 -signkey ca.key -trustout -req -out ca-trust.crt -in ca.req -days 12000 - produces a "Trusted certificate"
• use the first step to generate any other certificate requests. Some servers like IIS & Domino have their own request-generation tool.
• openssl x509 -CA ca-trust.crt -CAkey ca.key -req -days 360 -in certificate-request.req -out cert.crt -CAserial ca.srl [-CAcreateserial] - to sign requests. The first time, you'll have to use CAcreateserial

That's pretty much it. mix into your IT operations as nessecary

Browser support

From the FAQ:

What Web browser programs are compatible with QuickSSL?

QuickSSL is compatible with Microsoft Internet Explorer(TM) 5.01 and higher and Netscape/AOL Web browsers version 4.51 and higher, comprising an estimated 90% or more of all Web browsers in use today. All other commonly used browsers may connect securely with Web servers using QuickSSL certificates. However, some older browsers may display a dialogue box indicating that the certificate is not trusted. This means that the certificated is not located in the browser certificate store and, in most cases, the user will be prompted to install it with a few clicks of their mouse.

That 90% is a pretty low estimate, too. Most people would estimate IE5/6 usage alone above 90%.

Re:Self-sign

[blkwolf]

Kurt Seified has some good information on installing certs in I.E. Whats really cool is it lets you easily install certs for other apps like imaps/Outlook etc.

http://searchwin2000.techtarget.com/tip/1,289483 ,s id1_gci833806,00.html

A list of CAs

[Bri3D]

OK, here are the CAs trusted by Mozilla ABA.ECOM AddTrust AB American Express(No, not a typo) Baltimore CyberTrust BankEngine BelSign CertEngine Deutsche Telecom Digital Signature Trust Company E-Certify Entrust.net Equifax FortEngine GTE GlobalSign MailEngine Verisign/RSA(Yes, this is what it's called!) TC TrustCenter Thawte TraderEngine United States Postal Service VISA ValiCert VeriSign Xcert beTRUSTed So, here are your choices! Choose wisely:-)

Check out www.WhichSSL.com

[Nonesuch]

Just this week I have started looking around before we purchase a certificate for a semi-private Internet server. I've found the 'WhichSSL.com' site to be very helpful, especially http://www.whichssl.com/faq/compatibility.html.

Our users are easily alarmed, so we need to use a certificate from CA that is fully trusted by all of the common browsers. This pretty much limits you to Verisign/Thawte. If you expect that most users will have mostly upgraded to more modern browsers, then your available choices increase dramatically.

I am currently considering InstantSSL... so far it's taken two days, and no signed certificate, but the price (free trial, $49/year) is right.

SSL certs: an introduction

[CBC4]

The term CA refers to a Certificate Authority. A trusted CA functionally means that either it was included in your browser, mail tool, or Java interpreter, or you added it and clicked "trust this cert", or your IT department included it in your desktop load. The main cost in being a public CA is in very expensive lawyers to write a CPS which says how you're liable for certification practices.

For internal use only, there is no reason you can't be your own CA, as long as you prepare a standard client load for all of your internal users. SSL is no less secure, all the cert is used for is negotiating a session key anyway.

If you're going to enroll for more than 30 or so SSL certificates a year, you have a couple of alternatives to keep costs down. You can run a RA, which means you register the certs and a trusted CA signs them (VeriSign operates under this model), or you can get a subordinate CA that is signed by a trusted CA (RSA bought Xcert so they could offer this service).

The first company to offer a tool to let you manage your own CA was Netscape, which became iPlanet, and was bought by Sun. Their documentation is great, read this explanation of the benefits of a Self-Signed Root Versus Subordinate CA.

RSA writes very good docs too, but they're new to the CA business, and I believe the way their KCA product is positioned and pricing model will change. They are mostly interested in customers who use a lot of certs, for now.

Re:Self-sign

[Hobophile]

Would be nice if it was more like ssh where you need not coorporations manipulating ignorant web surfers with big warnings.

Actually, SSL with self-signed certificates is very much like SSH. Ever noticed that the first time you connect to a given hostname, ssh makes a big fuss about how it's never dealt with that host/IP combo before and asks you explicitly if you want to trust it?

The same thing happens with SSL if your certificates aren't signed by a CA. The dialog box that appears states that no one is vouching for the identity of this host and asks you if you want to trust it anyhow. Actually I believe Mozilla now has an option where you can ignore future warnings from the site, meaning it functions much like ssh: warns you the first time if it's someone it hasn't dealt with before, and then encrypts the channel and moves on.

The reason this isn't considered ideal is that encrypted communications is only half the goal; remember SSL is about securing e-commerce, not encrypting shell sessions. So there's another objective: certifying the identity of the server you're connected to. It's all very well if your connection to the online pet food store is encrypted, but if someone has poisoned your DNS entries then what you believe is the pet food store might just be a hacker lying in wait to record credit card numbers for orders his unsuspecting victims place.

Encryption doesn't help you if you can't trust the guy on the other end of the line. Note that this is true even in the case of ssh; if someone has root access on your destination machine it is trivial to capture your password and any other information you send.

Certificates are there to solve this trust problem. How is our erstwhile pet food shopper supposed to know whether his destination is the 'real' petsfoodonline.com he has seen advertised everywhere? Well, simple: a certification authority who performs some form of identity verification has issued a certificate saying that petsfoodonline.com is in fact responsible for the server you're connected to.

Does this prevent all scams? Of course not. You still don't know if petsfoodonline is really trustworthy, nor can you be 100% sure that someone hasn't simply stolen the certificate from that server and set it up on one they control. Certification authorities are part of the security process, not the entire thing. End users and server admins still have significant responsibility.

Without CAs it would be more challenging to determine who to trust online. Some sort of distributed web-of-trust application could probably ease that burden substantially, but then companies would need to win the trust of thousands of independent webs rather than simply paying a flat fee. Thus the CAs, for online vendors, are simply one of the costs of doing business.

That said, I am sure CAs charge more than what it costs them to provide their service, as I don't think their identity checking is all too thorough. What might be preferable is if different classes of certificates existed: higher security for online shopping/banking; lower security and lower cost for general opt-in type services such as webmail. The browser padlock icon could change colors to reflect this or perhaps have a number superimposed on it, or something. Companies could pay more for a higher level of certification, and vendors could charge significantly more for their highest levels. Such a hypothetical ultra-secure rating could even involve a security audit of the target servers and a risk analysis of likelihood of intrusion, rather than merely being a "pay us this and we'll tell everyone you're awesome" option. But I don't see this happening any time soon.

Personally, I use self-signed certificates, and instruct my users to simply add my CA to their Trusted CAs (which is fairly easy to do and no one has had trouble with it.) The main problem with this is that it doesn't scale, to multiple users, whereas the main problem with CAs is that they don't scale (cost-effectively) to multiple servers.

Link

Thawte IS Verisign - bought out a couple of years ago.

When you make a bold claim like that, you should provide a link. I didn't believe you until I looked it up myself.

InstantSSL.com

[fwc]

$49/Year.

Almost instant (like 10 minute) issuance.

Trusted by 99% or so of in-use browsers (IE>=5.0, Netscape>=4.x, AOL>=5, Opera>=5).

Works great. Highly recommended.

use your own CA for your backend servers

[iebgener]

You might need a certificate signed by a well known CA for your connections from the internet, but for all your backend server you can create your own CA. This will enable you to use a full strenght 1024/128 bit sll for nothing. There is a project called tinyca which enables you to create and signed certificates with your inhouse CA. So you create a CA for your company and add the CA to all your backend server. Once this is done, any certificate signed by your CA will be valid and fully secured.

I have tested it for Apache and Weblogic and Websphere and they work very well.

Just got a cert for $39

[lewp]

Rackshack was selling Geotrust certs for $29. Had this story been posted a day or two earlier you could have gotten in on it :). They seem to be selling them now for $49, which is still *much* better than you'll find from say Thawte/Verisign. They've worked in every browser I tried, though I believe I just saw someone say they don't work in Opera. Oh well, small price to pay to save $120+ on a cert.

this is a bad idea, security-wise

[Trepidity]

I would be very hesitant to add you, someone I do not know or have a particular reason to trust, as a CA. I wouldn't mind accepting your self-signed certificate to do an SSL transaction with your site, but adding you as a CA is a much bigger security risk. If I do that, you can then sign certificates for any site, including sensitive sites like my bank's. Then you, as a potentially malicious CA, can trick me into accepting false certificates identifying my bank's site.

Thus if you don't want to use a certificate signed by the major CAs, then please just self-sign. I have no problem accepting self-signed certificates, but adding random sites you don't know as CAs is a huge security risk that no one should do (so it'd be nice if you didn't require people to do it in order to visit your site).

Re:entrust

[Conare]

it doesn't look like they're offering an RA or subordinate CA, unfortunately.

You didn't look hard enough. The RA comes bundled with the CA (Oops I mean Security Manager). The CA can be configured to be a subordinate with little trouble during installation.