Re: SSL certs

To: debian-isp@lists.debian.org
Subject: Re: SSL certs
From: "curby ." <curby.public@gmail.com>
Date: Mon, 31 Oct 2005 02:03:11 -0700
Message-id: <[🔎] 5d2f37910510310103p63a4659ewb5e2197c1494cfe4@mail.gmail.com>
In-reply-to: <[🔎] 20051026193345.GA7440@excelhustler.com>
References: <[🔎] 20051026193345.GA7440@excelhustler.com>

On 10/26/05, John Goerzen <jgoerzen@complete.org> wrote:
> We're going to need some SSL certificates here for some secure websites.

I just went through this myself, though I'm just interested in a
cheap/free cert for a personal site.

> 1. Who is a reputable SSL certificate authority, that is recognized
>    automatically by all modern browsers?

Most widely-supported CAs seem to include:

Verisign
Thawte (same parent company as Verisign, different CA root(s))
RSADSI
Geotrust/RapidSSL (many resellers)
Valicert/Starfield (many resellers)

Open the Root CA certs cache in your browser to find more.

I personally went with the Valicert reseller godaddy.com because they
are as cheap as $20/yr (and free if you host OSS) and they work with
most browsers.  RapidSSL vendors can be as low as $15-20 per year. 
Valicert seems to like chained certs, which need a slightly more
involved installation process (one extra file).

Regarding reputation and assurance, you probably already know that the
vast majority of your sites' visitors will neither know nor care, as
long as they see the nice little lock icon in their browser.  Very few
people will check the encryption key sizes or root CAs used.  Thus CA
brand reputaiton/recognition is generally a non-issue.  Of course,
like any business you don't actually want them to rip you off.  I can
only say that my experience with godaddy's valicert certs has been
positive thusfar.  Their support (via email) is very responsive.

Assurance involves ways that the CA confirms the cert is going out to
the "real" owner/administrator of the site.  Some just check with the
whois email contacts, some do phone, some do fax, etc.  The more
advanced the checks, the more you can expect to pay.  Consider why you
want SSL.  If you're a bank deeply concerned about spoofing, then
stricter checks would certainly be good.  If you, like me,  just want
end-to-end encryption without annoying browser warnings, go for the
cheapest solution.

> 2. We will have several different hosts, and thus different hostnames,
>    running secure sites.  Do we need to purchase a certificate for
>    each, or can we purchase a single certificate and use it to sign the
>    certs for the different hosts?

Generally, yes.  Also see the wildcard cert answers that others have
posted, allowing all *.example.com sites to use the same cert.  If you
only have a handful of subdomains, getting individual certs might be
cheaper.  You may also consider combining servers where possible, e.g.
turning service1.example.com/ and service2.example.com/ into
secure.example.com/service1/ and secure.example.com/service2/ (I know,
this is likely more expensive than the $20-100 it would take to get a
second cert).  Individual certs can also be revoked, renewed, etc.
independently, which might be a plus.

> 3. Are there any resources out there on using commercial certs with
>    Debian?  Any CAs that cater specifically to Debian?

SSL setup instructions are usually server-specific instead of
distro-specific, and vendors are usually totally platform-agnostic. 
For setup, there are probably different sites out there that can help,
such as:

https://certificates.starfieldtech.com/InstallationInstructions.go

Reply to:

References:
- SSL certs
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: Blocking SSH attackers
Next by Date: Re: megaraid and 2.6 kernel
Previous by thread: Re: SSL certs
Next by thread: Re: SSL certs
Index(es):
- Date
- Thread