StartCom StartSSL

From: Mike Harrison 
On Fri, 28 Jun 2013, wes wrote:
> I use StartCom's StartSSL. it's a little cumbersome at first because they do things so much differently, but once you get past the learning
> curve it's actually quite nice. For wildcard certs you have to pay around $100 in fees to verify yourself for each company shown in the
> Registrant of each domain's whois info.


I gotta admit, I like their business model and general cluefullness.  My 
issue is using a chained certificate. Their apache configs clearly show:

    SSLCertificateChainFile /usr/local/apache/conf/
    SSLCACertificateFile /usr/local/apache/conf/ca.pem

Which is what breaks people I'm trying to interface with using very 
limited development environments and average developers using Java/J2EE,
.Net,C# etc.. and sometimes weird proxy servers.

Their  website and certificates are working well 
in Firefox and Chrome on Linux and Android, when I dig in, I see that 
their core Certificate Authority as StartCom is a "Built in object token"
ie: built into the browsers core CA deck. And then they chain off of it.

Have you or anyone else used them as a CA for more than standard web 
browser stuff (ie: API integration?)


=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If on windows, they can use the local system certificate store, or they use the certificate store for the user the application is running as. For proxy servers, you may have to combine the intermediary and actual cert into one file to be installed. You may even have to include the original Root CA, just because it is in IE/FF/Chrome, does NOT mean it is installed on the proxy server..... This is preferred behavior to signing everything from a Root CA (which should be offline anyway). I suspect without being vetted and paying for your own signing CA from Symantec/Thawte/etc, getting a cert signed directly by an in-browser trusted CA will be unlikely or include a price tag similar to the above. This vendor specifically, no. GoDaddy and RapidSSL certs w/ intermediaries, yes. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJR0I9YAAoJEMP+wtEOVbcdZusH/jJW+71PKvQUulIBem14/Onr bM7b/AuqkMgQJo4TQDjtNB9tFbQm+rmo+nabN+rc2cyTOQDyELuqsXPwzzQgXRy5 GJeznGmVC8rYbBh6VBBrDAcrKr3FuPulZClYlNM/UGRwDd/S1v61otK8xB1seuna gXBkjcd2wEkqp96e0SJ2ymmOZFdksQd3ROmQU6jvRncENVywx8x7oorKg98lde8L 3Hu/dtuBB4CRujKD4prbyjKu1x6eFPfeavel8NEGBj/GHWEwmk/+cWnYrjSLIF+c RlrBx9KU5DEbjRepXbv1+U0GtC7BPGwd7CJJcb1pRBOzZzpXdxygejg3EPLY7Vc= =YCWi -----END PGP SIGNATURE-----

=============================================================== From: Mike Harrison ------------------------------------------------------ Dave gets a cluefullness +3.14 (some pie), we've had serious issues get Net/Sysadmins to install certs on proxies (ISA is ugly), and I've got a nightmare of some offshore Java developers that have been trying to get to work in Java, what they CAN get to work in cURL. Their Java world can't seem to install certs.