where do I buy a SSL certificate?

Discussion in 'Computer Security' started by Ask Josephsen, May 18, 2006.

  1. Hi

    I've got at website that needs to run https and I understand you need to
    purchase an SSL certificate to do so. But what is a fair price and does
    it matter from who I buy and what I buy?

    My site is located in .dk and the only reason for the https is, I have
    som images that is included in a webshop (running https) on another
    website (fortunately I don't have to install the certificate myself, the
    company hosting my site does that).

    rapidssl.com has a certificate which seems okay to me - one year $69
    (https://www.rapidssl.com/ssl-certificate-products/rapidssl/ssl-certificate-rapidssl.htm).
    Should I go for that ?


    Thanx

    Ask
     
    Ask Josephsen, May 18, 2006
    #1
    1. Advertising

  2. Ask Josephsen wrote:
    > Hi
    >
    > I've got at website that needs to run https and I understand you need to
    > purchase an SSL certificate to do so. But what is a fair price and does
    > it matter from who I buy and what I buy?


    You'd better take care that the issuer's cert is already shipped with
    most webbrowsers.

    The bigger problem is that every such CA is a scumbag, especially the
    cheaper ones.

    > rapidssl.com has a certificate which seems okay to me - one year $69
    > (https://www.rapidssl.com/ssl-certificate-products/rapidssl/ssl-certificate-rapidssl.htm).
    > Should I go for that ?


    This one's not.
     
    Sebastian Gottschalk, May 18, 2006
    #2
    1. Advertising

  3. Ask Josephsen

    Journeyman Guest

    You can create your own self-signed certificate, it will give your user
    a warning about it, but works just the same http://www.verisign.com is
    probably the biggest seller of certs, very trusted
     
    Journeyman, May 18, 2006
    #3
  4. Journeyman wrote:
    > You can create your own self-signed certificate, it will give your user
    > a warning about it, but works just the same http://www.verisign.com is
    > probably the biggest seller of certs, very trusted


    I'd trust a random self-signer more than VeriSign. I just remember some
    anonymous guy anonymously phoning VeriSign and they gave him a signature
    for a cert with CN=Microsoft Corporation.
     
    Sebastian Gottschalk, May 18, 2006
    #4
  5. Ask Josephsen

    jewo Guest

    hi,

    have a look at http://www.cacert.org
    they offer certs for free but the root cert is (not yet) included in most
    browsers

    jewo
     
    jewo, May 18, 2006
    #5
  6. Ask Josephsen

    unixsphere Guest

    Ask Josephsen wrote:
    > Hi
    >
    > I've got at website that needs to run https and I understand you need to
    > purchase an SSL certificate to do so. But what is a fair price and does
    > it matter from who I buy and what I buy?
    >
    > My site is located in .dk and the only reason for the https is, I have
    > som images that is included in a webshop (running https) on another
    > website (fortunately I don't have to install the certificate myself, the
    > company hosting my site does that).
    >
    > rapidssl.com has a certificate which seems okay to me - one year $69
    > (https://www.rapidssl.com/ssl-certificate-products/rapidssl/ssl-certificate-rapidssl.htm).
    > Should I go for that ?
    >
    >
    > Thanx
    >
    > Ask


    https://www.thawte.com/ssl-digital-certificates/ssl/index.html
     
    unixsphere, May 18, 2006
    #6
  7. Sebastian Gottschalk, May 18, 2006
    #7
  8. Ask Josephsen <ask_rem@rem_minreklame.dk> writes:
    > I've got at website that needs to run https and I understand you
    > need to purchase an SSL certificate to do so. But what is a fair
    > price and does it matter from who I buy and what I buy?


    it is also possible to generate your own self-signed SSL certificate
    and have clients that need to access your site ... validate the
    certificate via some out-of-band process.

    i regularly access some number of https sites with self-signed
    certificates ... where my browser initially complains it is signed by
    an unknown certification authority (itself) and gives me an
    opportunity to view it, accept it for the current session, and/or load
    it for long term acceptance (basically into the same repository that
    contains the certification authority self-signed digital certificates
    that were loaded as part of building the browsers).

    if you really want to buy one ... go to the security menu in the
    browsers (that will be typically used by your clients) and do a list
    of the currently loaded self-signed digital certificates ... this will
    give you an indication of which certification authorities that the
    browsers are currntly configured to automatically accept.

    numerous collected past postings mentioning ssl and ssl digital
    certificates
    http://www.garlic.com/~lynn/subpubkey.html#sslcert

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
     
    Anne & Lynn Wheeler, May 18, 2006
    #8
  9. Ask Josephsen <ask_rem@rem_minreklame.dk> writes:
    > I've got at website that needs to run https and I understand you
    > need to purchase an SSL certificate to do so. But what is a fair
    > price and does it matter from who I buy and what I buy?


    it is also possible to generate your own self-signed SSL certificate
    and have clients that need to access your site ... validate the
    certificate via some out-of-band process.

    i regularly access some number of https sites with self-signed
    certificates ... where my browser initially complains it is signed by
    an unknown certification authority (itself) and gives me an
    opportunity to view it, accept it for the current session, and/or load
    it for long term acceptance (basically into the same repository that
    contains the certification authority self-signed digital certificates
    that were loaded as part of building the browsers).

    if you really want to buy one ... go to the security menu in the
    browsers (that will be typically used by your clients) and do a list
    of the currently loaded self-signed digital certificates ... this will
    give you an indication of which certification authorities that the
    browsers are currntly configured to automatically accept.

    numerous collected past postings mentioning ssl and ssl digital
    certificates
    http://www.garlic.com/~lynn/subpubkey.html#sslcert

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
     
    Anne & Lynn Wheeler, May 18, 2006
    #9
  10. Anne & Lynn Wheeler <> writes:
    > i regularly access some number of https sites with self-signed
    > certificates ... where my browser initially complains it is signed by
    > an unknown certification authority (itself) and gives me an
    > opportunity to view it, accept it for the current session, and/or load
    > it for long term acceptance (basically into the same repository that
    > contains the certification authority self-signed digital certificates
    > that were loaded as part of building the browsers).


    the real major difference between a self-signed digital certificate
    that you generate ... and a self-signed digital certificate generated
    by some certification authority ... it that the certificate
    authorities have convinced the browser vendors (typically by paying
    them) to preload their digital certificates into the browser's digital
    certificate repository when the browser is built.

    however, it is straight-forward operation for clients to do
    post-install administrative operations on their browser's digital
    certificate repository (adding and/or deleting digital certificates).

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
     
    Anne & Lynn Wheeler, May 18, 2006
    #10
  11. Ask Josephsen

    nemo_outis Guest

    Anne & Lynn Wheeler <> wrote in
    news::

    > Anne & Lynn Wheeler <> writes:
    >> i regularly access some number of https sites with self-signed
    >> certificates ... where my browser initially complains it is signed by
    >> an unknown certification authority (itself) and gives me an
    >> opportunity to view it, accept it for the current session, and/or load
    >> it for long term acceptance (basically into the same repository that
    >> contains the certification authority self-signed digital certificates
    >> that were loaded as part of building the browsers).

    >
    > the real major difference between a self-signed digital certificate
    > that you generate ... and a self-signed digital certificate generated
    > by some certification authority ... it that the certificate
    > authorities have convinced the browser vendors (typically by paying
    > them) to preload their digital certificates into the browser's digital
    > certificate repository when the browser is built.
    >
    > however, it is straight-forward operation for clients to do
    > post-install administrative operations on their browser's digital
    > certificate repository (adding and/or deleting digital certificates).
    >



    Actually one of the best phishing (and related) attacks (where you have
    access to another's machines) is to diddle the certificate repository.
    Very few ever consider this security risk.

    Regards,
     
    nemo_outis, May 18, 2006
    #11
  12. Ask Josephsen

    Guest

    Ask Josephsen wrote:
    > Hi
    >
    > I've got at website that needs to run https and I understand you need to
    > purchase an SSL certificate to do so. But what is a fair price and does
    > it matter from who I buy and what I buy?
    >
    > My site is located in .dk and the only reason for the https is, I have
    > som images that is included in a webshop (running https) on another
    > website (fortunately I don't have to install the certificate myself, the
    > company hosting my site does that).
    >
    > rapidssl.com has a certificate which seems okay to me - one year $69
    > (https://www.rapidssl.com/ssl-certificate-products/rapidssl/ssl-certificate-rapidssl.htm).
    > Should I go for that ?
    >
    >
    > Thanx
    >
    > Ask


    Go Daddy offers the TurboSSL for only $19.95. I'm not sure what makes
    the TurboSSL cheaper, but the info is here:
    https://www.godaddy.com/gdshop/ssl/ssl.asp
     
    , May 19, 2006
    #12
  13. Ask Josephsen

    Guest

    , May 19, 2006
    #13
  14. Thanx - all your comments did help a lot :)

    I ended up buying the rapid SSL and it seems to work fine.

    ../ask
     
    Ask Josephsen, May 29, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. P.L.

    SSL certificate for multiple host names

    P.L., Nov 24, 2003, in forum: Microsoft Certification
    Replies:
    2
    Views:
    752
  2. Mikko
    Replies:
    1
    Views:
    533
    Mike Gallagher
    Jan 13, 2004
  3. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,837
    Olivier PELERIN
    Aug 30, 2004
  4. Replies:
    1
    Views:
    427
    summi
    Jan 27, 2006
  5. jenny
    Replies:
    0
    Views:
    967
    jenny
    Nov 30, 2006
Loading...

Share This Page