1

Hi Everyone,

Our SSL certificate is coming up for renewal this year for our exchange server and i want to move to a more secure vendor for SSL but i also don’t want to pay out the ear for VeriSign’s certificates.

So I was curious what everyone here uses and/or what they recommend?

5 Spice ups
2

I use GoDaddy because they have a simple SSL certificate for $29/year. It’s a well known CA and haven’t had any issue with browsers or mobile phones.

3

As above -Godaddy.

4

how good is the encryption? this is for use on our exchange server. so it needs to be very secure

5

(Edited - Link updated)

Up to 256bit

6

Doesn’t get any cheaper than GoDaddy, even though I don’t like their ads.

7

Actually it gets a bit cheaper than GoDaddy… try StartCom, they are free:

http://cert.startcom.org/

8

what ads?

9

Techdad wrote:

what ads?

GoDaddy’s whole marketing thing. People find it annoying and, if I remember correctly, they could have been considered a bit offensive. I don’t have television so I don’t see many ads but I know that people were not happy about GoDaddy ads - that’s about all that I know about them.

10

They’re all over the GoDaddy website too.

Last I checked on StartCom, they aren’t trusted by default in most browsers are they?

11

We can afford a little more than godaddy, Security is a lot more important to me than price. but i would also like to know if verisign has any competition that is a little less expensive, verisign seems a little overpriced

12

I’m no expert at SSL, but as I understand it no SSL certificate is inheritly “more secure” then another. Really the bit-length is what’s important, and I believe most SSL companies try to differentiate themselves by the amount of “insurance” they provide (if you have a breach).

You will be safe with a pretty much anyone, but GoDaddy’s prices versus how well their CA is implemented in the browsers (if a CA isn’t listed in a browser the SSL will throw an error until you manually update each browser/computer) makes it one of the better choices.

IMHO, of course

13

ChristopherO wrote:

They’re all over the GoDaddy website too.

Last I checked on StartCom, they aren’t trusted by default in most browsers are they?

I believe that they are now. They say on the site that only legacy browsers need to have their CA imported.

14

Techdad wrote:

We can afford a little more than godaddy, Security is a lot more important to me than price. but i would also like to know if verisign has any competition that is a little less expensive, verisign seems a little overpriced

As Martin pointed out, security is all the same. GoDaddy might be gaudy and silly but no reason to use Verisign because of security.

15

Ii always stick with SSL247. Find their sales advice and support excellent.

They offer certs from several providers, and I find their web site much easier to figure out than godaddy’s

As pointed out 1 cert is technically the same as any other (although the Globalsign ones all have SGC level, other providers have this as an option for a fee).

The real price difference comes in with things like re-issue provisions (if you loose the cert in a server crash for example, they’ll reissue the cert for free). I believe the cheap ones will charge for a new cert.

Site seal trust is also important. A lot of people wouldn’t be happy passing their credit card details over a site secured by go-daddy. Technically this is a nonsense, but the power of branding is very strong. Shouldn’t be an issue if it’s just your OWA site you’re securing though.

The other big factor is warranty’s offered on the cert in case it gets compromised. Personally I don’t think these are worth much at all, so would ignore them!

16

we use Globalsign

they have a number of features that appeal to me as the system manager of a medium sized international company

certainly not the cheapest, support is great and very personal, no standard procedures to go thru before getting any help

17

We use verisign for our customer facing portals, thawte for our internal certs.

18

GoDaddy

19

Self Signed Secure Sockets Layer Certificate

What is SSL – Secure Sockets Layer is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

What it does – To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key

What does it contain – It will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate.

Server Side – The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer’s web browser.

Client Side – The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session - the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals.

How To Achieve – We could use Self Signed Certificate available with Microsoft Resource Kit or any third party security certificates (free basic versions like StartSSL Free with 1 year Validity). The know issues with the third party free 1 year validity certificates are that with revocation/renewal process. Otherwise it is available for 2 years validity StartSSL Verified version for $40.

The best recommended for our product would Self Signed Certificates (since our product belies on private network) available with IIS 6.0 Resource Kit SelfSSL.

Procedure

The IIS 6.0 Resource Kit version 1.0 was released 5/30/2003. It contains a utility called SelfSSL.exe for instantly creating and installing a self-signed testing certificate into IIS. The resource kit is freely downloadable from the Microsoft website. Although the tool is intended for IIS 6.0, it works just as well on IIS 5.1. It is so simple to use that no instructions are required beyond the pointer to the download.

Steps:

a) Download IIS 6.0 Resource Kit Tools http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

b) Install the resource kit (requires Windows Server 2003, Windows XP)

c) From the Windows Start Menu, go to the “\Programs\IIS Resources\SelfSSL” folder and select “SelfSSL”.

d) Instructions will be listed in a command prompt. Type “selfssl” to run the program. (For eg: Validity periods using switches)

e) Test that it worked by visiting https://localhost/

20

We use digicert.com. It’s certainly more expensive than GoDaddy, but there are a ton of options to get just what you need. They have a nice unified communications cert that had all the options we needed for our Exchange server which included 4 subdomains with additionals for $39. I had to call there techsupport once and they were most helpful.