[Discuss] Are there any SSL certificate authorities that don't cost a king's ransom?

Edward Ned Harvey (blu) blu at nedharvey.com
Mon Jul 29 07:47:51 EDT 2013


> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Tom Metro
> 
> The StartSSL <...> free certs are for
> non-commercial use only. 

I loves me some StartSSL, but you're correct.  Right on their main StartSSL Free page, they link to  CA Policy, which is the PDF Tom linked here.  And you're right, the free certs are only permitted for non-commercial use.  You have to upgrade to Class 2 for that purpose ...  In order to get a Class 2, you have to pay $60 for your personal Class 2, plus $60 for the company Class 2 (unless you're the sole owner of the company).  The unfortunate thing there is that their company Class 2 validation process includes having the president/CEO or CFO of your company submit signed documents and/or articles of incorporation, which you just can't seem to justify yourself bothering them about.  Why should the CEO or CFO be involved in what's obviously an IT issue?  Too bad, so sad.  Side note:  While nearly everything trusts StartCom SSL certs, some really old things don't.  Like Service-Packless XP or something.  Really old.  Generally old enough to be considered irrelevant.  And definitely so old that *security* is irrelevant.

As much as I hate GoDaddy, I'm going to recommend them for their SSL certs.  They're trusted by every browser, their prices are good, and the validation process was easy for me to jump through without involving top level executives.  Their instructions to install certs into your web server are impeccable.  (And you can even get their support person to walk you through it if you call.)  They do a good job of notifying you about approaching expiration dates, so you renew before you encounter any embarrassing or costly error of omission.



More information about the Discuss mailing list