[Chugalug] StartSSL.com Rocks - Thanks Wes

Mike Harrison cluon at geeklabs.com
Fri Aug 23 13:44:05 UTC 2013


Back in June, Wes mentioned StartSSL  (http://www.startssl.com)
as an alternative to the big SSL providers, with a very different 
methodology, but good SSL certs for Apache, Linux
(and probably everything else).

Wow, what a difference. First, ignore that their website is a little dated 
looking and not over-designed with bullshit adverts and add-ons. Their 
founder Eddy Nigg is a nut, but the right kind of nut.

You get started by creating and SSL Client cert that gets installed iin 
your browser which acts as your "key" to your account and then go through 
steps to verify an email address or two. The typical: they send you a 
token, you paste it back into the website type of things.

Then it gets interesting, if you want "Class 2" verification, which allows 
you to create "Class 2" SSL Certificates, which are standard SSL 
Certificates used for normal web SSL encryption, you have to get 
confirmed that you are who you say you are. This required me to swallow 
hard because they wanted scans of my Passport and Drivers License.
I checked them out for a few days online, no scam complaints... crazy 
nutcases saying they trusted them... so I did it. An actual human sent 
emails asking for a scan of a phone bill with my address on it.
I'm prepaid with T-Mobile, which works for me and I don't get bills.
They didn't accept the screen shots of my T-Mobile account.

This led to a couple more actual human clueful emails and they ended up 
sending me, via registered mail, from Israel, a letter with a token in it
for address verification. This took a few days to receive, but I was 
impressed that they were going through such steps.

Since then, I've issued wildcard and host specific SSL certs for 3 
domains, including https://www.geeklabs.com (if you want to check out the SSL Cert)

I've paid them $59.90 USD so far. I feel guilty. I'm used to paying much 
more to entities that have much less of a clue who is behind the 
certificate request. That actual intelligent humans responded to emails 
had me spinning my head around. Hence this writeup. I hope ya'll consider 
them for your needs also.

So far, everything I have thrown at them seems to work well. PHP, Curl, 
even Java..(Gasp!)

We are starting the process for the Extended Validation Certs. They want a 
lot of paperwork/proof for these, but they are less than $200 for 
something Verisign dumps you into a pricing wizard to calculate a 4+ digit 
number for, and probably has less idea who is behind the certificate. 
Important step for something taking payments for utilities.

Issues:

Firefox does a database lookup on SSL Certs that may take a hours to a day 
to recognize a freshly issued/installed SSL Certificate that Chrome, 
Safari and MSIE do not do by default. I'm suggesting that if this is 
critical is to issue the SSL Cert on the system, but not install it for a 
few hours. It works great once it is in the "OCSP" system.

http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol Firefox

Firefox has this feature "on" by default.

Extras:

You can create a certificates valid for multiple hosts, including 
wildcards at the same time easily. Excellent workflow interfaces for this 
process.

I ended up with an OpenID address of:   https://meuon.startssl.com
which is interesting, but I have not used it yet.

I'm trying to get "Web of Trust" Notary status.. I like the concept
and maybe can be of service verifying others. This requires me being 
verified by two other WoT Notaries, which will take some travel
as the closest are Atlanta and Nashville.


























More information about the Chugalug mailing list