Stewart Dean wrote:
We have been getting our certificates from Verisign...who appear to me to be getting an awful lot of money for a wisp of virtuality, for all that they are the standard of the industry. We have a server that now needs a certificate and I went looking for cheaper certificates; I came up with some alternatives that I'd like your input/experience feedback on:I have done some research on wildcard certificates, the results are summarized on http://wiki.cacert.org/wiki/WildcardCertificates I'd advise you against using wildcard certificates for your domains, since I'd consider them less secure than qualified certs. Just imagine what could happen if someone accidentally gets hold on the private key of this one certificate...- Your experience with less expensive CAs and their certificates- Digicert has single certificates for $100. Has anyone done business with them/used their certificates? - They have a wildcard certificate, $449 for multiple single-level domains (*.bard.edu would cover all our sub-domains) AND multiple servers. Sounds too good to be true...one certificate for all your subdomains and servers. Note that it seems that the WC cert works for something like *.bard.edu....if you have other domains hosted as apache aliases, like wombat.org, this would not cover them.= Has anyone had expereience with any WC Cert = With Digicert's WC Certs?I came across this 1.5 year old discussion of them in one of the O'Reilly blogs.... about 2/3rds the way down the page (search for wildcard), read all the pieces. Note that: 1) The posts are about 1.5 years old, so presumably what little problems there were have been resolved 2) There may be browser issues, but that may be a dead issue by now, such as 3) You may only get one level from your splat (apparently IE 6 was fussy about this, dunno about IE7), i.e. mail.wombat.org works for *.wombat.org but www.mail.wombat.org may not
Now the question on CA's. This has nothing to do with OpenSSL, and what I'm writing here is partly influenced by my personal opinions, so there may be other views on it.
The really relevant asset of a CA is how many of those users you're interested in, will trust it. There are some technical issues, but those are usually minor problems. If you want to get a feeling about how many users will trust a given CA then open your favoured browser's Root CA storage and check, whether it's included there. Repeat this with your second favoured browser and you'll probably have a general idea on it. ;) Of course I'm assuming that you want to run a standard web server for "the general public". Specific needs (or not-needs) for a server may lead to cheaper or more secure solutions. Or even both.
At https://host.convey.de/esuccess.htm (and some other servers) we have been using Commodo / GTE CyberTrust certificates for several years now and there have never been any reports about certificate related problems, while having served something between 50.000 and 100.000 internet users. In other environments we are using our own, openssl powered CA, which also works fine under those circumstances.
Hope this helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
