1

I am confused…

I have purchased more than 5 SSL certificates this year alone for different application servers and i have used comodo and thawte from namecheap.com. it is the time for Exchange server 2010. I was wondering which one should i buy this time ? i couldnt trust review sites. 4.97 /5.00 from 536 reviews for digicert looks too good to be true.

i couldn’t find any difference among SSL providers apart from customer services and support. Every website says that you should go with most trusted one. So which one are the most trusted ones ?

7 Spice ups
2

I’ve used GeoTrust in the past for my UC/SAN certificates for Exchange, but I changed over to Digicert earlier in the year. I have to say that the time to process requests from Digicert is so much faster than GeoTrust. The portal is easy to use and their support is spot on every time I’ve had questions. Also little things like the intermediate certs being bundled into the SSL cert for your Windows servers is also a nice touch so you don’t have to worry about forgetting to download and chain.

1 Spice up
3

Maybe I am wrong, but I thought they were all the same?

1 Spice up
4

Moxie Marlinspike says here they are not the same.

2 Spice ups
5

SSL certificates are pretty much commodities and you can buy from anyone. That said, there is still some slight differences.

(1) Make sure your vendor is listed in your OS’s default trusted certificate store. Use MMC, add Certificate Snap-In, Local Computer Account, and open the trusted certificate folder. Make sure your vendor is in there. For client machines such as wind 7 , win 8, pretty much they are all in there. But for older server platform, like windows 2003, need to take a look.

(2) SSL has different key length and different functionality. The more expensive ones allow the green-lock in the browser. So make sure you can buy with the right one you need.

1 Spice up
6

godaddy.com has a pretty decent price

7

I agree with Jack, i use godaddy. They are trusted by default by Newer Miscorosoft OS.

8

thawte’s too expensive, never heard of namecheap

get my stuff from Comodo…

9

Never ever buy anything from Godaddy unless you are a ma-and-pa operation and dont mind rubbish service.

10

Hmm Moxie putting forward good arguments, but for once I gotta disagree with him. They weren’t hacked, it was poor internal processes that let Comodo dowln, infact problems with a reseller company of theres and not then directly.

http://en.wikipedia.org/wiki/Comodo_Group#2011_breach_incident

Sure it’s about trust, but ALL and SSL cert is designed to do is to tie a domain to somesort of web-of-trust, yes this site is definitely www.domain.com! Even EV certs can be subnet to man–in-the-middle attacks and others. And here’s where I come back into line with Moxie about the problems with SSL, what is and is not

11

namecheap is a relseller who has comodo, geo-trust and thawte for nearly half price for same products they selling in their own website.

12

We use certificatesforexchange.com - works great. I tend to take the view that by paying more you’re paying for trust not security in the technical sense and in our environment that hasn’t warranted spending 10-20x more money.

That said, I have never seen a bad word about Digicert.

1 Spice up
13

I just started using Digicert a few months ago. I think the main difference in all the prices is verification time/method and support and service afterwards. For what it’s worth, I thought Digicert’s CSR’s were some of the best I’ve talked to in any industry.

14

100% agreed. We use sslpoint.com for our certificates and are quite pleased with their support.

15

Darn you cheapSSLsecurity, Where were you when i needed you ?

I have purchased comodo EV SSL from namecheap. I could have save some £££s with you.

1 Spice up
16

Here’s another way of looking at it: Are these application servers being used by the general public or by your own organization?

If these are public-facing servers, then you want to reduce the number of problems people might have connecting to you. An extended validation certificate (EV) from a CA with a widely recognized root certificate is a good choice in that scenario.

If these are servers primarily for use within your own organization, then it’s not as crucial to use widely recognized certs, because you can easily add the appropriate public keys if a particular machine lacks them.

In both cases, I suggest you check if your servers are accessed by clients which support certificate pinning , since that will reduce the likelihood that someone can impersonate you using a bogus certificate.

Good luck!