[Chugalug] StartSSL.com Rocks - Thanks Wes
cluon at geeklabs.com
Fri Aug 23 13:44:05 UTC 2013
Back in June, Wes mentioned StartSSL (http://www.startssl.com)
as an alternative to the big SSL providers, with a very different
methodology, but good SSL certs for Apache, Linux
(and probably everything else).
Wow, what a difference. First, ignore that their website is a little dated
looking and not over-designed with bullshit adverts and add-ons. Their
founder Eddy Nigg is a nut, but the right kind of nut.
You get started by creating and SSL Client cert that gets installed iin
your browser which acts as your "key" to your account and then go through
steps to verify an email address or two. The typical: they send you a
token, you paste it back into the website type of things.
Then it gets interesting, if you want "Class 2" verification, which allows
you to create "Class 2" SSL Certificates, which are standard SSL
Certificates used for normal web SSL encryption, you have to get
confirmed that you are who you say you are. This required me to swallow
hard because they wanted scans of my Passport and Drivers License.
I checked them out for a few days online, no scam complaints... crazy
nutcases saying they trusted them... so I did it. An actual human sent
emails asking for a scan of a phone bill with my address on it.
I'm prepaid with T-Mobile, which works for me and I don't get bills.
They didn't accept the screen shots of my T-Mobile account.
This led to a couple more actual human clueful emails and they ended up
sending me, via registered mail, from Israel, a letter with a token in it
for address verification. This took a few days to receive, but I was
impressed that they were going through such steps.
Since then, I've issued wildcard and host specific SSL certs for 3
domains, including https://www.geeklabs.com (if you want to check out the SSL Cert)
I've paid them $59.90 USD so far. I feel guilty. I'm used to paying much
more to entities that have much less of a clue who is behind the
certificate request. That actual intelligent humans responded to emails
had me spinning my head around. Hence this writeup. I hope ya'll consider
them for your needs also.
So far, everything I have thrown at them seems to work well. PHP, Curl,
We are starting the process for the Extended Validation Certs. They want a
lot of paperwork/proof for these, but they are less than $200 for
something Verisign dumps you into a pricing wizard to calculate a 4+ digit
number for, and probably has less idea who is behind the certificate.
Important step for something taking payments for utilities.
Firefox does a database lookup on SSL Certs that may take a hours to a day
to recognize a freshly issued/installed SSL Certificate that Chrome,
Safari and MSIE do not do by default. I'm suggesting that if this is
critical is to issue the SSL Cert on the system, but not install it for a
few hours. It works great once it is in the "OCSP" system.
Firefox has this feature "on" by default.
You can create a certificates valid for multiple hosts, including
wildcards at the same time easily. Excellent workflow interfaces for this
I ended up with an OpenID address of: https://meuon.startssl.com
which is interesting, but I have not used it yet.
I'm trying to get "Web of Trust" Notary status.. I like the concept
and maybe can be of service verifying others. This requires me being
verified by two other WoT Notaries, which will take some travel
as the closest are Atlanta and Nashville.
More information about the Chugalug