Khalid, A certificate bought from a trusted Certificate Authority simply means a client can verify the certificate's validity through a third party. This does not mean the web page data is securely encrypted, does not mean the data on the site is valid and does not mean that the data can not be compromised on the client or server machines.
A basic SSL certificate says that the person or persons who bought the certificate are the same person or persons that own the domain. This is the simplest check done by the Certificate Authority when a certificate request (purchase) is made. The more expensive certs require that the company ordering the certificate verify their legal credentials. This may mean they have to FAX proof of their physical location, their business status (INC, CO, etc.) and contact information to the Certificate Authority and comply with an investigation. This extended verification (EV) process is expensive and can take weeks to complete. I agree that an expensive SSL cert is only worth the money if the name of the certificate authority means anything to the clients contacting your site. 99.9% of the people do not know or care what a CA is. Hope this helps. Guide to SSL Certificates https://calomel.org/ssl_certs.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote: >On Sat, 14 Jun 2008, Khalid Schofield wrote: > >> Hi, >> I need to get a proper signed ssl certificate for my ecommerce website >> hosted on my openbsd box. Getting confused as most websites describe >> how to do this in many different ways and most refere to self signed >> certificates. Wanted to ask the experts before I go and throw $100 at >> the task. > >First, I'd recommend that you spend a little time reading up on X.509 >certificates and how they relate to public key cryptography. There >are nasty consequences if you get things wrong that extend well past >wasting $100 on a certificate you can't use. > >> So do I have to use pass phrases when generating the certificate? If >> I use a pass phrase why? How does it effect the certificate and it's >> use? > >Certificates don't have passphrases, private keys do. A key passphrase >gives some measure of protection should the file containing your key >fall into someone else's hands, e.g. by compromising your server. If >you private key is disclosed, an attacker could impersonate your sever. > >> Also if I use a pass phrase do I have to tell apache about it? Does it >> go in a config or do I have to enter it when reloading apache? > >Putting it in a configuration file would defeat the purpose, no? >Yes, if you use a passphrase then you need to tell Apache about it every >time it is reloaded. For this reason, many web servers do not set >passphrases on their keys. > >> Also what command do you use to do this? Please tell all :) > >openssl req > >OpenSSL is complex and patchily documented, it assumes that its users >are quite familiar with x.509 certificates and public key cryptography. >There are some frontends that make things more simple, and some good >guides on the net. Try typing "openssl certificate" into your favourite >search engine for a few. > >> One last thing who would you recomend to sign my csr? > >Go for the cheapest certification authority that is supported by Firefox >and Internet Explorer. Do not be fooled by any claims of "premium >certification" as the overwhelming majority of users do not check the >CA details. > >> Thanks sorry for the stupid questions but I've never done this before >> and risked my actual money (only the companies). > >Like I said, risking $100 on a dud cert is the least of your worries. > >-d
