Date: Wed, 5 Feb 2003 21:22:39 +0100 From: Daniel Lang <langd-freebsd-hackers@leo.org> To: Josef Karthauser <joe@tao.org.uk> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Anyone where to get a signed SSL certificate cheap? Message-ID: <20030205202239.GA19957@atrbg11.informatik.tu-muenchen.de> In-Reply-To: <20030205181724.GB87471@genius.tao.org.uk> References: <20030205181724.GB87471@genius.tao.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Joe,
Josef Karthauser wrote on Wed, Feb 05, 2003 at 06:17:24PM +0000:
> I know that this is slightly off topic, but maybe someone here could
> advise me.
>
> I need to obtain a certificate to use on my openssl/apache web server,
> but looking at Verisign and Thawte it appears that they're charging a
> lot of money ($450) per year for one! Does anyone know where I can get
> one cheaper? Last time I bought I'm sure that they were only $100/yr
[..]
> p.s. yes, I know that I could self-sign, but this is for an ecommerce
> system and I'd prefer our customer's customers not to have to ask
> themselves why the certificate is in our name and not our customer's! :)
[..]
Ok, you got some opinions already. Here is my suggestion.
Why not create a Root CA. VeriSign is no way trustworthier than
your company. True, their certificate is part of many browsers by
default, but that need not be such a killing argument.
My suggestion:
- Create a Root CA
- For your Customer: create a CA for your Customer, signed by
your Root CA.
- Create certificates signed by the Customer CA.
Of Course The CA certificates (of both Root and Customer CA)
need be imported into browsers, but that is not such a big problem.
The DER format can be directly imported into the browser by just
clicking on a corresponding link.
You could provide such links on the eCommerce-Systems entrance page.
- Advantages:
* The certificate would be signed in behalf of your customer
(und just their certificate would be signed by you, but
your customer's customers wouldn't probably notice).
* The costs are not per year but once for the effort to set
the things up.
* You can create more certificates and even additional CAs
with no extra expenses.
- Disadvantages:
* End-Customers may need to import the CA certificates into their
browser.
* They may be ignorant and "trust" a $BIG_CERTIFICATE_COMPANY
more than you, but there is no real reason for that.
So just some food for thought, I guess. :-)
Best regards,
Daniel
--
IRCnet: Mr-Spock - ceterum censeo Microsoftinem esse delendam -
*Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/*
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030205202239.GA19957>