Choosing an SSL Provider?

An anonymous reader writes "I have recently been tasked with switching our SSL certificate provider and it's proving not to be easy. We use an internal authority for our own stuff and then we buy certificates to protect outward-facing sites (a lot of them). My question for this community is: How do you choose a certificate authority to use? There is price, service (why we're leaving our last vendor), warranty, and products offered as the only differentiators I can find. Is there any public resource that would show me actual customer reviews of CAs like Verisign, GeoTrust, Comodo, Trustwave, and DigiCert? Our last vendor did a really poor job with support and I would like to make a reasonably educated decision."

RapidSSL is your friend

[teknopurge]

They have cheap 128-bit cert that have Root in almost all browsers. The only issue we have run into is windows mobile devices.

If you're just after a basic root cert, RapidSSL(Equifax) is your best bet. If you need the stronger, blood-of-your-first-born cert, Verisign is the place to go.

Regards,

Impression

[esocid]

I was under the impression that SSL providers had a hold on the "market" and didn't really need to provide that good support, but that is coming from someone who has never had to deal with that side of it. Here [web-hosting-top.com] is an aggregation of a bunch of providers though, beware it's an ugly page.

SSL

[mackil]

We've used Geotrust since the beginning and have never had a problem. They are a bit more expensive than others, but we'll take the hit there for the good support.

There was one year where we wanted to try the EV-SSL. We decided to go cheap and went with Comodo. Big mistake. It didn't work, and after dealing 2 weeks with the support people there, we gave up and went back to Geotrust. They would only talk to us via email and were generally very unhelpful. I'm not saying that is what everyone experiences, I'm simply stating our own.

Re:RapidSSL is your friend

[TechyImmigrant]

>They have cheap 128-bit cert that have Root in almost all browsers.

Usually they are 1024 bit RSA with SHA-1 signing (80 bit). These are deprecated by NIST for use past 2010.

MS don't support SHA-256 signatures in XP, until SP3, which explains some of the delay in rolling out stronger roots.

Rapid SSL Wildcard

[Kagato]

Go with a Rapid SSL wildcard cert. It will take care of most external needs with a single cert. They have a self service model that works pretty well. Cost is very reasonable.

It depends on your needs but

[gerry_br]

I have had success with both OpenSRS and GoDaddy for SSL certs. OpenSRS will allow you to easily supply the needs of your customers. Never had a problem with using either. Also, what type of support do you need? My experience is you install them and they work, then you renew them/reinstall as needed. just mu $0.02

Digicert all the way

[cryogenix]

If you want good support, go with Digicert. Absolutely phenomenal support. You don't go through hold queues to get to some person god knows where. Usually the person who picks up the phone is the one that helps you and they know what they are talking about. I've been extremely happy with them.

SSL Shopper

[CSMatt]

SSL Shopper [sslshopper.com] has a great list of SSL certificate providers and reviews, as well as the ability to compare different providers side by side using their SSL wizard.

Re:What sort of support do you need?

[mackil]

How do you support a cert? They're pretty much set once delivered.

Typically that is true. However when we tried an EV-SSL chained certificate, it wouldn't recognize the trust chain and caused all sorts of problems. We tried dealing with the support people, but they were very unhelpful and would only deal with us over email. Since they appeared to be in the UK (and we in the US), it was very frustrating in dealing with them. In the end we gave up and went back to a root certificate.

Thawte

[NekoXP]

You can't go wrong with Thawte..

We use three different providers

[Anonymous Coward]

At my company, we use three different providers depending on the need.

Client Facing
We use Verisign [verisign.com] for anything a client will interact with since we can use the Verisign Secured Seal [verisign.com] on any web content on our site. Our studies have shown a percentage of our users actually know of the Versign secured logo and helps to assure them of the security.

Non-client Facing
We use Thawte [thawte.com] certificates since these are much cheaper than Verisign, and are fully compatible with most browsers/mobile devices.

QA/Dev Servers
We use GoDaddy [godaddy.com] for internal/external tests and projects. They are cheap and quick, which makes them useful in a non production environment.

Re:Buy a real SSL cert, with location info

[jroysdon]

I found SiteTruth's search worthless. I put in my own domain [roysdon.net] and it said it was suspect, no address listed on the website. Totally bogus information. One of the first links is to the AUP [roysdon.net] page, which contains the same address WHOIS has listed. Even if I search giving the AUP link, it cannot find the address. Further, it says no usable certification info - I could see it complain that it doesn't like my CA, but there cert works just fine in any non-Microsoft browser. I find this site worthless as it fails to provide valid information. I could see it complaining that my SSL cert (free for non-commercial, personal use) is a domain-only, but it doesn't, it just says, "No valid cert." Finally, just because something doesn't have a valid business behind it (as in a personal website/email hosting), doesn't mean it is invalid or worthless. Don't give me your money - I'm not asking for it.

$$ vs requirements

[Anonymous Coward]

Choosing an SSL provider really depends on your requirements. If all that you need is a SSL cert for encrypted traffic and have no other corporate or audit requirements to adhear to, then almost any ssl provider with 99% browser compatibility will work. These certificates are usually in the $49-150 range. If you have to adhear to a policy, or if you want your "secured by xxxx" logo to be a well known name, then I would recommend Thawte. Others have recommended Verisign, but what most people do not realize is that Verisign and Thawte are the same company; and that you can purchase a Thawte SSL certificate for a little less than half of the price for the exact same thing.

https://www.thawte.com/ssl-digital-certificates/buy-ssl-certificates/?click=buyssl-buttonsleft
$699 one year

https://ssl-certificate-center.verisign.com/process/retail/product_selector;jsessionid=F682F047C9C50A9204F1B5A1F3971614?uid=d62acac0de1cbeb4b281f52d35982a1d&product=GHA002
$1,499 on year

Both certificates will pass all of the major security benchmarks (pci, hippa, iso20001, etc)

depends on devices...

[bentley79]

With more users accessing the web from mobile devices, certificate choice matters even more now. Motorola phones, for example, only have a verisign cert on them, so users will get annoying "untrusted site" warnings for sites with Equifax certs. Also, J2ME applications on these phones cannot connect to sites with non-verisign certs. This becomes a bigger problem for mashup java apps that try to access secure apis on multiple services. You end up greatly restricting how your service can be used if you go for a cheap, easy Equifax certificate.

Godaddy. And, SSL use will increase.

[sherriw]

I used GoDaddy for the one standard cert I ever had to order and had no problems at all. My one complaint is that when I ordered it, their pricing was $19.99, it has now gone up to $29.99.

The cert auto renewed and I wasn't expecting that, but a ticket to their support center and I got it canceled and refunded. So pretty good service I think.

But watch out. The more that ISPs start filtering content, and the more that governments increase monitoring and censoring data on the web... you're going to see rising demand for SSL certs and rising instances of the, pay more money for a green url bar nonsense.

The SSL providers are trying to sell you on the idea that it's the cert that makes the site trustworthy. Meanwhile, all you really need the cert for is the encryption.

IE7 has succeeded in making shared certs utterly useless. Too bad for the little guy who was using the shared cert provided free from his hosting company, because you can no longer use it without an enormous frightening message from the browser.

Look for more of this to come.

Re:Depends on priorities

[crush]

Except that's a pretty good community and is more clueful and ethical than many of the for-money providers. The problem with CAcert is not on the support end, it's the fact that their root certificate is not distributed with current browsers. Each potential verificant would have to import their cert manually. Supposedly that's changing slowly with the Mozilla Foundation spelling out exactly what the audit process is to allow the inclusion of CAcert. We can but wait and hope. Personally I'd rather have community support for something like this.

Re:Buy a real SSL cert, with location info

[firewrought]

At SiteTruth, we consider the low-end certs worthless.

But the self-signed cert you have for your own domain is laudable? Sheesh... it's even expired, not that you'd know since your "site verification site" doesn't even take the most basic precaution of defaulting to https.

Re:May I ask ...

[Anonymous Coward]

The vendor was Verisign. And after reading some of these posts I think some clarity may help everyone. We have about 600 ssl certificates in geographically distributed data centers, with another 25,000 other types of internal certificates. You would not just go to CACert or RapidSSL for this. We need an API and Control Panel, Audit privileges, management tools etc.

Re:RapidSSL is your friend

[mvdwege]

Nope. RapidSSL is a brandname of Geotrust (which in turn is a brandname of Equifax). Geotrust also offers QuickSSL Premium certs, which are signed with the standard Equifax Secure CA root certificate, which, to my knowledge, is distributed with all mobile devices currently on the market.

The pricing for QuickSSL Premium certs is not much different from the bigger vendors, but the service we've gotten so far from Geotrust is excellent, and their simple no-nonsense verification systems means we get to deploy certs within five minutes from submitting the CSR.

Full disclosure: I work for a Geotrust reseller. We picked them because we got fed up with our previous supplier.

Mart