Slashdot Mirror

← Back to Stories (view on slashdot.org)

Choosing an SSL Provider?

Posted by kdawson on from the who-you-gonna-trust dept.

An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."

7 of 183 comments (clear)

  1. RapidSSL is your friend by teknopurge · · Score: 5, Informative

    They have cheap 128-bit cert that have Root in almost all browsers. The only issue we have run into is windows mobile devices.

    If you're just after a basic root cert, RapidSSL(Equifax) is your best bet. If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.

    Regards,

    --
    Website Hosting
  2. Rapid SSL Wildcard by Kagato · · Score: 4, Informative

    Go with a Rapid SSL wildcard cert. It will take care of most external needs with a single cert. They have a self service model that works pretty well. Cost is very reasonable.

  3. SSL Shopper by CSMatt · · Score: 4, Informative

    SSL Shopper has a great list of SSL certificate providers and reviews, as well as the ability to compare different providers side by side using their SSL wizard.

  4. Re:What sort of support do you need? by mackil · · Score: 5, Informative

    How do you support a cert? They're pretty much set once delivered. Typically that is true. However when we tried an EV-SSL chained certificate, it wouldn't recognize the trust chain and caused all sorts of problems. We tried dealing with the support people, but they were very unhelpful and would only deal with us over email. Since they appeared to be in the UK (and we in the US), it was very frustrating in dealing with them. In the end we gave up and went back to a root certificate.
  5. Re:Buy a real SSL cert, with location info by jroysdon · · Score: 4, Informative

    I found SiteTruth's search worthless. I put in my own domain and it said it was suspect, no address listed on the website. Totally bogus information. One of the first links is to the AUP page, which contains the same address WHOIS has listed. Even if I search giving the AUP link, it cannot find the address. Further, it says no usable certification info - I could see it complain that it doesn't like my CA, but there cert works just fine in any non-Microsoft browser. I find this site worthless as it fails to provide valid information. I could see it complaining that my SSL cert (free for non-commercial, personal use) is a domain-only, but it doesn't, it just says, "No valid cert." Finally, just because something doesn't have a valid business behind it (as in a personal website/email hosting), doesn't mean it is invalid or worthless. Don't give me your money - I'm not asking for it.

  6. depends on devices... by bentley79 · · Score: 5, Informative

    With more users accessing the web from mobile devices, certificate choice matters even more now. Motorola phones, for example, only have a verisign cert on them, so users will get annoying "untrusted site" warnings for sites with Equifax certs. Also, J2ME applications on these phones cannot connect to sites with non-verisign certs. This becomes a bigger problem for mashup java apps that try to access secure apis on multiple services. You end up greatly restricting how your service can be used if you go for a cheap, easy Equifax certificate.

  7. Re:Depends on priorities by crush · · Score: 4, Informative

    Except that's a pretty good community and is more clueful and ethical than many of the for-money providers. The problem with CAcert is not on the support end, it's the fact that their root certificate is not distributed with current browsers. Each potential verificant would have to import their cert manually. Supposedly that's changing slowly with the Mozilla Foundation spelling out exactly what the audit process is to allow the inclusion of CAcert. We can but wait and hope. Personally I'd rather have community support for something like this.