Cheap SSL Certificates for Small Websites?

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

although this sounds like an advertisment...

[r00tarded]

a bunch of excellent geeks I know use entrust.

Re:although this sounds like an advertisment...

[dildatron]

I just checked them out. Decent prices. Their prices are here for those who are interested.

Re:although this sounds like an advertisment...

[quacking+duck]

I used to work there, and there's a fairly good reason international prices are much higher.

Entrust is a company headquartered in the US but with the bulk of the workforce in the US. When applying for an SSL certificate, there's a very stringent set of rules set out by both US and Canadian governments that they have to follow in order to verify that the person requesting the certificate in fact represents the organization he/she claims to, and that the request for a certificate was authorized.

Verification requires three independent contacts within the requesting organization. These can be managers, sysadmins, billing, etc. All three need to be contacted.

Calling these contacts up can get expensive when you handle a lot of international orders. International information like addresses can also be difficult to verify halfway around the world, too, adding more costs. This is partly why Canadian prices scale up with the US exchange rate, but international ones are so much higher.

The OTHER reason it's a bit higher is that Entrust doesn't WANT to have to handle international verifications, preferring to pass that on to their affiliates located around the world. This way, customers place the order through the affiliated site (at a price that's supposed to be a fair bit lower than the international pricing Entrust itself offers), the affiliate handles the verification themselves. Since affiliates are located in the same geographic area as their customers, they're better qualified to judge whether the info is correct or not. Once the affiliate has verified the information Entrust issues the certificate.

So if you're not based in the US or Canada, check the list of affiliates to see if there's an affiliate in your country that offers lower "international" pricing. Don't mean to sound like a sales agent, but that's why affiliates are there.

Thawte

[JM]

They charge $199 for certificate, and have a pretty good service. I've been using them for years.

Re:Thawte

[the+eric+conspiracy]

Thawte IS Verisign - bought out a couple of years ago.

Re:Thawte

[letxa2000]

No kidding. I was expecting no paperwork to be necessary on renewal. In my dreams. They asked for an entirely different sent of annoying paperwork when I tried to renew, and had raised the price by about $40.

That pissed me off and got me shopping. Within 3 days I had my certs issued by InstantSSL. $49/year, no fuss.

GeoTrust.com rocks, and is cheap!

[CrudPuppy]

we use them for all of our commercial sites.

Might want to check.......

[tiwason]

The stories /. has already had on the topic....

Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM
http://ask.slashdot.org/article.pl?sid=0 1/03/18/18 55230&mode=thread&tid=93

Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM
http://ask.slashdot.org/article.pl?sid=0 1/09/06/04 51218&mode=thread&tid=148

QuickSSL

Rackshack.net has a link to a $49 QuickSSL certificate. I haven't used them, but it sounds like a good deal.

DirectNIC.com does SSL certs for $99/yr

Title says it all

Cheapass trusted SSL certs

[pablos]

You can purchase a ridiculously cheap ($50) 128bit SSL cert, trusted by browsers from http://www.geotrust.com

All you need a valid credit card to get a
cert. The CA key is loaded in almost all of the browsers, the notable exception being Opera.

They do send a 'auth check' by emailing the domain admin contact you can select.

The entire ordering process (including filling out forms) takes less than about 5 or ten minutes.

This should SCARE you if you're relying on the security provided by Veri$ign and the root that ship with browsers. - pablos.

Free root cert project

[kylegordon]

You may find what you're after over at http://www.cacert.com The creator of this website believes that trusting someone should be free, and is doing his best to make this happen.

Easy one

[shurdeek]

There is a nice page, http://www.whichssl.com. Through the comparison tables there I found comodo's http://www.instantssl.com. I generated a demo certificate first and after I had no problems with it, I bought it. For $49 a 128 bit, not 40. Recommended.

Everything you need to be a certifying authority

[Chuck+Chunder]

comes with openssl. It even has a nice perl script to make it easy.
What Verisign and co have that you don't is their root certificates installed with the browsers by default. For internal use you should have no problem using your own certificates. For external use, where an existing business relationship exists (ie you aren't selling to the public, but to people who can trust your cert because they know who you are) it should take little more than a quick explanation.

It's not as much of a scam as you think.

[antis0c]

Sure we all hate VeriSign for all kinds of reasons.

However when you get an SSL Certificate from VeriSign and some of the other Cert signers out there, you are getting two things.

The most commonly understood thing you are getting is the encryption thats automatically accepted by just about any modern browser. However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). This way you know when you're going to https://secure.yourdomain.com to enter your credit card information, that you are indeed still on yourdomain.com and that your information is encrypted, and verified to be sent to the company you intend to send it to.

So if all you are concerned about is encryption, just generate your own. It will however throw a warning in just about any browser that the identity of the site can't be verified. Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.

I understand though, that browser warning annoys me too.

Create own CA, don't just self-sign

[coyote-san]

You're going at the problem wrong. Don't worry about getting your clients to accept a self-signed cert, worry about getting them to add your own root certificate to those they trust.

This is actually straightforward - you point them to a URL that returns the root cert, with MIME type application/x-x509-ca-cert, and tell them to accept it for all uses when the broswer pops up a dialog box.

You should then use this root cert to sign your web server certs (and certs for mail servers, databases, whatever). All should be trusted immediately, assuming you have your other ducks in a row. (E.g., you need to have your web server cert's common name resolve to the IP address of the web server.)

It's a bit more work to maintain a mini-CA than to just use self-signed certs, but overall the benefits outweigh the hassles. Many of us are working on JSP tools to operate mid-range CAs, but I don't know how far most are. (The problem is Microsoft's eternally changing standards on how clients generate the cert request on their side - I can handle Netscape/Mozilla with ease, but it seems like every version of MSIE is just slightly different.)

Just exploit the IE SSL bug

[giminy]

Have your company buy a key, then create signed keys for your domain private domain with it as the issuing key. Nobody will know, as most people still use IE, and it still has that fun bug.

That's interesting

[petard]

WhichSSL is nothing but an ad for Comodo:

Registrant:
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: WHICHSSL.COM
Created on: 25-JUN-02
Expires on: 25-JUN-04
Last Updated on: 25-JUN-02

Administrative Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Technical Contact:
Abdulhayoglu, Melih steve@comodo.net
Comodo Research Lab Ltd
10 Hey Street
Bradford, Yorkshire BD7 1DQ
US
+44 1274 730505
+44 1274 730909

Domain servers in listed order:
DNS01.EXODUS.NET
DNS02.EXODUS.NET
DNS03.EXODUS.NET

Is it any good if most browsers reject it?

[HotNeedleOfInquiry]

I couldn't find rackshack listed in any of the "approved" signing sources for mozzila or netscape.

If your the IT Department

[mystik]

... and can manage an installation of certificates on all clients, you can create your own certificate authority all by your self.

Here are some *SIMPLE* instructions for building a self-signed CA cert, and then signing SSL certs for servers. Any real implentation should probably be assessed for security (like ca-generation on an isolated machine, etc ...)

• openssl req -newkey rsa:2048 -keyout ca.key -out ca.req - Answer all questions it asks
• openssl x509 -signkey ca.key -req -out ca.crt -in ca.req -days 1200 - Self- signs the CA certificate
• openssl x509 -signkey ca.key -trustout -req -out ca-trust.crt -in ca.req -days 12000 - produces a "Trusted certificate"
• use the first step to generate any other certificate requests. Some servers like IIS & Domino have their own request-generation tool.
• openssl x509 -CA ca-trust.crt -CAkey ca.key -req -days 360 -in certificate-request.req -out cert.crt -CAserial ca.srl [-CAcreateserial] - to sign requests. The first time, you'll have to use CAcreateserial

That's pretty much it. mix into your IT operations as nessecary

Re:No Real Options, Sorry

[lylonius]

Actually, you are mistaken.

Today's browsers (even the first SSL enabled browser, Netscape 2.0) recognized _dozens_ of certificate authorities. Besides Verisign and Thawte, there are RSA, Entrust, and others.

You are also mistaken that RSA started Verisign; RSA Security was the company that licensed the RSA public-key algorithm. They actually compete directly with Verisign as a CA.

To see for yourself:
(Netscape|Mozilla): Edit->Preferences->Privacy->Certificates
IE: Tools->Options->Content->Certificates

InstantSSL.com

[fwc]

$49/Year.

Almost instant (like 10 minute) issuance.

Trusted by 99% or so of in-use browsers (IE>=5.0, Netscape>=4.x, AOL>=5, Opera>=5).

Works great. Highly recommended.

this is a bad idea, security-wise

[Trepidity]

I would be very hesitant to add you, someone I do not know or have a particular reason to trust, as a CA. I wouldn't mind accepting your self-signed certificate to do an SSL transaction with your site, but adding you as a CA is a much bigger security risk. If I do that, you can then sign certificates for any site, including sensitive sites like my bank's. Then you, as a potentially malicious CA, can trick me into accepting false certificates identifying my bank's site.

Thus if you don't want to use a certificate signed by the major CAs, then please just self-sign. I have no problem accepting self-signed certificates, but adding random sites you don't know as CAs is a huge security risk that no one should do (so it'd be nice if you didn't require people to do it in order to visit your site).