I've used StartSSL in the past. I will never do so again.
Yes, the certs are free, and yes, they work in all common browsers. But the process of obtaining them is a horror of Lovecraftian proportions. I'll happily pay a few dollars to Namecheap to be able to avoid the nightmare that is StartSSL's UI.
Not my experience at all. It's easy and straightforward (really takes less than 10 mins). I have a bunch of startSSL certs in use. Before I started using startSSL certs I used Thawte certs.
Dealing with Thawte was HORRIBLE, these guys are extremely pushy (their sales reps repeatedly called me at home to 'convince' me I really should renew my certificates with them and wouldn't take no for an answer). Contrast that with startSSL where I had some questions and Eddy Nigg personally replied within minutes.
In summary, I highly recommend giving startSSL a shot.
This hasn't been my experience. Their web site is ugly and lame but once you're logged in it's about a 3-step process to apply for the cert. Both times I was emailed within 10 minutes that my cert was ready, and it works fine.
I second this experience, and "Lovecraftian" is indeed an excellent way to describe it. It's not just that the process was difficult, it's that my confidence dwindled through every strange and baffling step.
I find their service excellent. The website doesn't have the latest hip look, but the service is solid, and they are very responsive and helpful in case you run into an issue. For a free service, that's impressive.
The only complication is the fact that they use client side SSL certificates for authentication. I don't know of any other site which does this. Although I like that they're dog fooding, it probably would have been better if they'd stuck with a traditional username/password/cookie scheme for logging in, from a business/usability perspective.
We tried them but had to change to a different vendor because the Blackberries didn't recognize their certificates and they had no plans to rectify that. We don't have much BB traffic, but didn't want to exclude BB users just because we wanted to be cheap.
I disagree also. Their process is fine with me and very quick. I haven't had to contact them in a while, but when I did, got fast, intelligent response. StartCom/StartSSL is a breath of fresh air.
This seems to have been downvoted but its not an invalid point. The web is old enough now that a certain level of design is expected of things people need to trust. A shop down a side alley with a hand written sign inspires less confidence than something plastic on the high street - however wrong that initial impression may be.
People with background knowledge may know startssl is legit/good but to a newcomer I can easily see why their first impression is off.
I'm actually shocked at how many places accept the trust chain of my free SSL certificate from Gandi. Some browsers refuse my company's very expensive wildcard certificate from GoDaddy saying it's not trusted but trust mine from Gandi!
I started to do Class 2 identification with StartSSL, but I chickened out after they asked me to provide my marriage certificate and wife's personal info.
They have a very detailed policy document describing all sorts of security procedures they purport to adhere to, but I have no way to validate whether they are actually following those policies and no recourse for me or my wife even if it was determined that they are not following them.
That is just too risky for the value I would get out of the process.
EDIT: I was contacted by Eddy Nigg with some follow up information. I should have said that the reason they asked for my wife's info is because they wanted phone bills and those are in my wife's name which isn't the same last name as mine. That said, I'll still stand by my statement that the risk and complexity vs. reward was just not suitable for me.
EDIT 2: Okay, they offer an alternative for validation: they can mail you a registered letter with a validation code on it. That is much more acceptable to me, so I'll continue on with the process to see how that goes.
Its worth to mention that their certificates cannot be used to secure a Java web service because their CA is not included in Java's cert bundle. I had to learn this when I tried to callout to a web service (with a startcom cert) from Salesforce.
Also their certs are only free as long as you don't need to revoke it.
Came here to say something like this. While the site is a bit of a pain, and the certs are free, make damn sure you have your site configured the way you want it before you generate the certificate.
It's $25 to revoke a cert, i.e. free up the name so you can use it again elsewhere. I used part of my domain name for an XMPP cert that I later wanted to use for a web subdomain with the same name.. nope. Stupid.
i once built a clojure web app and used a startssl free certificate. it worked fine after i imported it into the java keystore. i was using OpenJDK under linux. were you using Oracle's java?
My understanding is free ones are not trusted/accepted by the browsers, hence to have something that isnt tossing errors at your users requires a small payment to a CA.
I've used positivessl from namecheap whenever I need certs, its something crazy cheap like $5
The SSL certificate for https://grepular.com/ is from StartSSL. I renewed it 5 days ago. The CN is for "secure.grepular.com" (for historical reasons), with a subjectAltName of "grepular.com"
I'd like to create a wild card certificate, but that costs money. My understanding is that it is a one off fee (60USD) for them to validate your identity and that it doesn't cost money to renew after that point. I could be wrong though. It's not completely clear.
The identity validation expires every year, and you have to pay the $59.90 again to renew it. However, once you've validated your identity, you can generate as many "class 2" certificates (including wildcard certificates) as you like, and those certificates last 2 years.
Is it possible to sign object code (.exe , .dll etc) with any SSL certificate that we buy ? or does this have to be mentioned clearly in the list of features of SSL certificate..
It's possible that an ssl certificate may have that capability added, but in my experience they've always been sold as separate products. If you need a code signing certificate the cheapest I've found was through Tucows. It's hidden in their developer resource subdomain. We paid $199 for a 3 year code signing cert.
I actually did pay them a bit, but only so that I could obtain "verified" status and generate unlimited wildcard certificates for all of my domains. It's a good deal :)
You're supposed to have installed the client SSL certificate in your browser before visiting that URL. It caught me out too initially. They use client side SSL certificates for authentication. I don't know any other site which does this.
when you sign up they install a certificate in your browser. without that, there's no way to login to your startssl account! so make sure to make a backup of it. i lost my account because i didn't realize this...
They also, like any other CA, have the ability to generate keys in your name any time they like. That would have consequences - but so would abusing your private key.
If it's for something where it's that much of a concern (and it IS a legitimate concern, no argument there) then you need a paid certificate anyway - you'd likely want a business name, not a personal one, etc etc......
If we're talking business, you wouldn't be using a free cert from them anyway.
Sure they do. I'm using a bunch of them right now. The only restriction startSSL has is that they don't accept popular names like 'amazon' or 'google' for subdomain names (I found out after I tried to get a cert for 'amazon.xxx.com' which we'd run in an AWS EC2 instance for testing). So we switched to 'sandbox.xxx.com' and got the cert within minutes.
They do, it's just that you cannot register a wildcard certificate for free. When I registered my certificate I could pick one subdomain in addition to the main domain.
While technically possible that doesn't get you very far, you'd end up with a self-signed certificate. That works fine except for the scary warnings (which look a bit unprofessional). And of course if the client programs of your service do not have an interface for accepting self-signed certificates, you're back to square one.
[+] [-] stevelosh|14 years ago|reply
Yes, the certs are free, and yes, they work in all common browsers. But the process of obtaining them is a horror of Lovecraftian proportions. I'll happily pay a few dollars to Namecheap to be able to avoid the nightmare that is StartSSL's UI.
[+] [-] moonlighter|14 years ago|reply
Dealing with Thawte was HORRIBLE, these guys are extremely pushy (their sales reps repeatedly called me at home to 'convince' me I really should renew my certificates with them and wouldn't take no for an answer). Contrast that with startSSL where I had some questions and Eddy Nigg personally replied within minutes.
In summary, I highly recommend giving startSSL a shot.
[+] [-] saberworks|14 years ago|reply
[+] [-] aiurtourist|14 years ago|reply
Since you mentioned paying "a few dollars" to Namecheap, can you comment on the feasibility of their $8.95 "PositiveSSL" certificate? ( http://www.namecheap.com/ssl-certificates/comodo.aspx )
[+] [-] dikbrouwer|14 years ago|reply
[+] [-] mike-cardwell|14 years ago|reply
[+] [-] taa|14 years ago|reply
[+] [-] brdrak|14 years ago|reply
[+] [-] dikbrouwer|14 years ago|reply
[deleted]
[+] [-] yangez|14 years ago|reply
[+] [-] kingofspain|14 years ago|reply
People with background knowledge may know startssl is legit/good but to a newcomer I can easily see why their first impression is off.
[+] [-] agildehaus|14 years ago|reply
[+] [-] huhtenberg|14 years ago|reply
[+] [-] andyking|14 years ago|reply
[+] [-] Macha|14 years ago|reply
> With each domain name transferred to Gandi, we include a Standard SSL certificate for free the first year.
https://www.gandi.net/domain/ssl#nav
[+] [-] jc4p|14 years ago|reply
[+] [-] DEinspanjer|14 years ago|reply
They have a very detailed policy document describing all sorts of security procedures they purport to adhere to, but I have no way to validate whether they are actually following those policies and no recourse for me or my wife even if it was determined that they are not following them.
That is just too risky for the value I would get out of the process.
(posted to twitter also https://twitter.com/#!/deinspanjer/status/158596876772450304 )
EDIT: I was contacted by Eddy Nigg with some follow up information. I should have said that the reason they asked for my wife's info is because they wanted phone bills and those are in my wife's name which isn't the same last name as mine. That said, I'll still stand by my statement that the risk and complexity vs. reward was just not suitable for me.
EDIT 2: Okay, they offer an alternative for validation: they can mail you a registered letter with a validation code on it. That is much more acceptable to me, so I'll continue on with the process to see how that goes.
[+] [-] js4all|14 years ago|reply
Also their certs are only free as long as you don't need to revoke it.
[+] [-] Karunamon|14 years ago|reply
It's $25 to revoke a cert, i.e. free up the name so you can use it again elsewhere. I used part of my domain name for an XMPP cert that I later wanted to use for a web subdomain with the same name.. nope. Stupid.
[+] [-] cinch|14 years ago|reply
[+] [-] brianjolney|14 years ago|reply
I've used positivessl from namecheap whenever I need certs, its something crazy cheap like $5
[+] [-] dan85|14 years ago|reply
[+] [-] elliottcarlson|14 years ago|reply
You might mean self-signed certificates?
[+] [-] mike-cardwell|14 years ago|reply
I'd like to create a wild card certificate, but that costs money. My understanding is that it is a one off fee (60USD) for them to validate your identity and that it doesn't cost money to renew after that point. I could be wrong though. It's not completely clear.
[+] [-] JoshTriplett|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] RKearney|14 years ago|reply
>gain enough access to issue valid certificates for arbitrary domains to themselves, StartSSL
>said. The attackers were also unsuccessful in generating an intermediate certificate that
>would allow them to act as their own certificate authority, The Register reported.
[+] [-] meow|14 years ago|reply
[+] [-] yardie|14 years ago|reply
[+] [-] micheljansen|14 years ago|reply
[+] [-] pbreit|14 years ago|reply
Second, I just got a "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." at https://auth.startssl.com
For a product that is supposed to be confidence inspiring, StartSSL is the opposite.
[+] [-] mike-cardwell|14 years ago|reply
[+] [-] cinch|14 years ago|reply
[+] [-] jusob|14 years ago|reply
[+] [-] fduran|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] dedward|14 years ago|reply
If it's for something where it's that much of a concern (and it IS a legitimate concern, no argument there) then you need a paid certificate anyway - you'd likely want a business name, not a personal one, etc etc......
If we're talking business, you wouldn't be using a free cert from them anyway.
[+] [-] Kudos|14 years ago|reply
[+] [-] moonlighter|14 years ago|reply
[+] [-] xolox|14 years ago|reply
[+] [-] hohoho2012|14 years ago|reply
[+] [-] xolox|14 years ago|reply