Topic: Best SSL certificate - what are your experiences?

[madadam]

Hi there,

Due to the pain of self-signed certificates with some email clients I have decided to purchase a certificate - I will need one shortly anyway for e-commerce transactions so it is not a drama to purchase one.

However there are many out there. The domain name registrar I use (NameCheap) sells RapidSSL and QuickSSL certificates. Has anyone had experience with these certificates?

What experiences have people had with some certificates on SME 7.x? Are there good ones and are there ones to avoid?

This is just a request for comment (pros and cons) on the different certificate providers and not for information on installing certificates, there's plenty of discussions about that already.

Cheers,

Adam

[raem]

madadam

CACert seems to work fine.
Here's a Howto
http://wiki.contribs.org/Custom_CA_Certificate

[madadam]

Hi Ray,

Thanks for the reply. Yes CAcert is an option. Has anyone had any experiences with a CAcert certificate in e-commerce environments?

I know that CAcert is a wildcard certificate in that it can be used for all sub-domains (*.domain.com) but I am unsure about the multiple domains functionality. From what I have read about CAcert you are issued with a certificate for all the domains on your CAcert.org account. Does this mean that you can get around the single domain certificate limitation of SME?

Anyone else use other certificates from other issuers?

Cheers!

adam

[raem]

madadam

A CAcert certificate works OK with OsCommerce on sme, either install the certificate (in your browser) when surfing the site or download & install (in your browser) the Root certificate from CAcert.

This server has approx 15 hosted domains and they all get added to the certificate when you create the details using the steps in the Howto.

[madadam]

Hi Ray,

From what I understand CAcert is not recognized by any mainstream browsers yet so in an e-commerce situation any potential customers would first have to manually download and install the cert. This of course is not desirable as most customers are not tech-savvy and will either be intimidated by this or be concerned  that this is fraudulent when their browser says the cert is not trusted.

In a situation where it is being installed in an office WAN CAcert would be fine but for e-commerce purposes I don't think it  is a good idea. But please correct me if I am wrong in any way.

Cheers,

adam

[raem]

madadam

It really depends on what level of "trustworthyness" you require & your budget.

All browsers have Root certificates installed for any "brand" of certificate, and from time to time they need to be renewed or get automatically updated by browser updates.
It's effectively the same result to manually install the Root certificate from the CAcert web site.

You can put a note/link on your website requesting users to download and install the Root certificate from the CAcert web site, which may give users a better sense of security than installing the certificate from your actual site.

[madadam]

Maybe my expectations are a little low but I don't think many people are going to be bothered buying something if first they have to go to another website to manually install a cert when they may not even necessarily understand why. All most users know is they have to look for the little lock symbol on their browser and a little note to assure them their transaction is safe.

Thanks for your help Ray.

I really would like to hear from anyone else about their experiences or even problems with  SSL certificates on SME.

cheers,

adam

[crazybob]

I don't know if it is the best, but I bought my ssl cert from Domains made easy. About $28.00 per year. I believe I followed the wiki version to install it, and it went pretty well. I would also check out godaddy, there certs are cheaper if I remember right.

I am not using wild card, just a single ssl cert.

Bob

[raem]

madadam

The cacert root certificate is included in a number of less mainstream browsers, and they are working hard to have it included in mozilla.

Internet Explorer is another matter as there are quite high fees demanded by Microsoft, $75,000 up front + $10,000 per year ongoing, which is a bit rich for a non profit org (cacert).

See
http://wiki.cacert.org/wiki/InclusionStatus

[smiit]

I installed a free 30-day trial from here:

http://www.rapidssl.com/

Very happy with it.  $45 to renew for a year after the trial.  Easy installation flipping between the cacert instructions in the wiki and the rapidssl tutorial.  Just make sure to signal-event post-upgrade; signal-event reboot for a full update.

I was happy using the built-in SME cert and only switched to the rapidssl since it is accepted automatically by the big browsers and I wanted to avoid any suspicions our coporate clients might have when running https apps from our server should they be asked to manually install a certificate. 

Saves having to assure the less-technically-savvy ones (and my bosses) from worry.

[madadam]

madadam

The cacert root certificate is included in a number of less mainstream browsers, and they are working hard to have it included in mozilla.

Internet Explorer is another matter as there are quite high fees demanded by Microsoft, $75,000 up front + $10,000 per year ongoing, which is a bit rich for a non profit org (cacert).

See
http://wiki.cacert.org/wiki/InclusionStatus

It's hard to respect a company that continuously attempts to profit from others trying to make the world a better place. There are many public and open-source initiatives trying to make the internet and computers more secure but Microsoft's level of co-operation always leaves a lot to be desired.

Adam

[madadam]

I installed a free 30-day trial from here:

http://www.rapidssl.com/

Very happy with it.  $45 to renew for a year after the trial.  Easy installation flipping between the cacert instructions in the wiki and the rapidssl tutorial.  Just make sure to signal-event post-upgrade; signal-event reboot for a full update.

I was happy using the built-in SME cert and only switched to the rapidssl since it is accepted automatically by the big browsers and I wanted to avoid any suspicions our coporate clients might have when running https apps from our server should they be asked to manually install a certificate. 

Saves having to assure the less-technically-savvy ones (and my bosses) from worry.

Hi there smiit,

I was only just looking at that. I had been looking at a number of providers and decided I liked the sound of the RapidSSL certificates which can also be upgraded to a GeoTrust certificate.

Which RapidSSL tutorial did you use?

Have you come across a how-to for installing a purchased single-root certificate in SME-7. Is it worth me doing one up and putting it on the Wiki? It seems to be a commonly asked question but people just get pointed to the CAcert how-to which is not for everyone.

Cheers,

Adam

[william_syd]

I know that CAcert is a wildcard certificate i

Incorrect.

It can be used as a wildcard certificate if you so choose. It all depends on your CSR.

[smiit]

Hi there smiit,

I was only just looking at that. I had been looking at a number of providers and decided I liked the sound of the RapidSSL certificates which can also be upgraded to a GeoTrust certificate.

Which RapidSSL tutorial did you use?

Have you come across a how-to for installing a purchased single-root certificate in SME-7. Is it worth me doing one up and putting it on the Wiki? It seems to be a commonly asked question but people just get pointed to the CAcert how-to which is not for everyone.

Cheers,

Adam

Here's how I installed a Free Rapidssl cert.  You can keep it installed after the 30-day trial and just pay the discounted fee to enable it fully for the next year.

http://www.rapidssl.com/ssl-certificate-support/generate-csr/apache_mod_ssl.htm

Skip 1. and 2.  Create a working directory where you want to generate your rapidssl cert request.

Follow rest of directions 3. through 6. 

For 3., don't use a password/phrase so reboots don't require intervention (skip the -des3 switch)

For 7., go to their link at http://www.rapidssl.com/ssl-certificate-products/free-ssl/freessl.htm and click the Free Trial button.

Submit your cert. request and follow their directions and e-mails and verify over the phone.

Then, before I used the commands from the Custom CA cert wiki page, I renamed the current /home/e-smith/ssl.crt/.crt and /home/e-smith/ssl.key/.key to .crt.old and .key.old

Note - the .crt and .key you created should be in the format of www.{domain}.crt and www.{domain}.key

Now copy the new ones over:

Code: [Select]

cp www.{domain}.crt /home/e-smith/ssl.crt/www.{domain}.crt
cp www.{domain}.key /home/e-smith/ssl.key/www.{domain}.key
    * Configure SME database

Code: [Select]

config setprop modSSL crt /home/e-smith/ssl.crt/www.{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/www.{domain}.key
    * and apply the changes

Code: [Select]

signal-event console-save
then I did the old

Code: [Select]

signal-event post-upgrade; signal-event reboot

Check your website/webmail pages and ssl imap/pop and everything should be working and browsers/e-mail clients should accept automatically with no issues or messages.  Open the certificate in your browser and verify it's the new one.

[william_syd]

An old how-to that was in the old wiki.

Creating a CA signed SSL Certificate