Slashdot Mirror
Choosing an SSL CA?
zentigger asks: "I am looking at renewing some SSL certificates and checking out the various vendors. I seems that just about every major CA has some reason for not using them. Verisign is just evil, Thawte is owned by Verisign, Geocerts has a bad habit of spamming, and Godaddy uses a stupid chained cert that doesn't work for some appliances we have (and they won't let me check out using Firefox). I realize that I could just use a self-signed certificate, but we have too many stupid users that get all confused and whiny when something pops up and asks them unexpected questions. So I put it to you, Slashdot: what CAs do you recommend and why?"
I think the most interesting post that time was that the US military and Microsoft both use self-signed ones -- which makes a pretty strong case that (if you're a B2B company) your company should sign it and your customers should add your company to the trusted authorities. If your're a B2C one, choose the cheapest one that FireFox and IE trust by default.
We use a self-signed CA, but being a corporate MS shop we force our CA's certs out as trusted through AD, so there's no difference between certs signed by our CA and certs signed by someone else. For me, it's brilliant. I can certify whatever I need to without having to cough up each time. It's only useful for internal users though. Obviously no good for public sites.
Cheapest I've seen on the Net is ev1servers.net at $14.95 (about 8.50 pounds for UK folks). It works with almost all browsers, except for users running IE 5.0 or older that haven't upgraded the latest root certificate via Windows Update. What I did is write a script that scanned the access logs for IE 5.0 or older and displayed the percentage of such browsers - when it dipped below 0.1% (which it has already for about half the sites we manage), we switched from Verisign to the ev1servers.net secure cert and saved, wait for it, over 250 pounds per certificate!