[Chugalug] StartCom StartSSL

Dave Brockman dave at brockmans.com
Sun Jun 30 20:04:40 UTC 2013

Hash: SHA1

On 6/30/2013 10:12 AM, Mike Harrison wrote:
> On Fri, 28 Jun 2013, wes wrote:
>> I use StartCom's StartSSL. it's a little cumbersome at first
>> because they do things so much differently, but once you get past
>> the learning curve it's actually quite nice. For wildcard certs
>> you have to pay around $100 in fees to verify yourself for each
>> company shown in the Registrant of each domain's whois info.
> Thanks.
> I gotta admit, I like their business model and general
> cluefullness.  My issue is using a chained certificate. Their
> apache configs clearly show:
> SSLCertificateChainFile
> /usr/local/apache/conf/sub.class1.server.ca.pem 
> SSLCACertificateFile /usr/local/apache/conf/ca.pem
> Which is what breaks people I'm trying to interface with using
> very limited development environments and average developers using
> Java/J2EE, .Net,C# etc.. and sometimes weird proxy servers.

If on windows, they can use the local system certificate store, or
they use the certificate store for the user the application is running
as.  For proxy servers, you may have to combine the intermediary and
actual cert into one file to be installed.  You may even have to
include the original Root CA, just because it is in IE/FF/Chrome, does
NOT mean it is installed on the proxy server.....

> Their https://www.startssl.com  website and certificates are
> working well in Firefox and Chrome on Linux and Android, when I dig
> in, I see that their core Certificate Authority as StartCom is a
> "Built in object token" ie: built into the browsers core CA deck.
> And then they chain off of it.

This is preferred behavior to signing everything from a Root CA (which
should be offline anyway).  I suspect without being vetted and paying
for your own signing CA from Symantec/Thawte/etc, getting a cert
signed directly by an in-browser trusted CA will be unlikely or
include a price tag similar to the above.

> Have you or anyone else used them as a CA for more than standard
> web browser stuff (ie: API integration?)

This vendor specifically, no.  GoDaddy and RapidSSL certs w/
intermediaries, yes.



Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Chugalug mailing list