StartSSL.com Rocks - Thanks Wes

From: Mike Harrison 
------------------------------------------------------

Back in June, Wes mentioned StartSSL  http://www.startssl.com 
as an alternative to the big SSL providers, with a very different 
methodology, but good SSL certs for Apache, Linux
(and probably everything else).

Wow, what a difference. First, ignore that their website is a little dated 
looking and not over-designed with bullshit adverts and add-ons. Their 
founder Eddy Nigg is a nut, but the right kind of nut.

You get started by creating and SSL Client cert that gets installed iin 
your browser which acts as your "key" to your account and then go through 
steps to verify an email address or two. The typical: they send you a 
token, you paste it back into the website type of things.

Then it gets interesting, if you want "Class 2" verification, which allows 
you to create "Class 2" SSL Certificates, which are standard SSL 
Certificates used for normal web SSL encryption, you have to get 
confirmed that you are who you say you are. This required me to swallow 
hard because they wanted scans of my Passport and Drivers License.
I checked them out for a few days online, no scam complaints... crazy 
nutcases saying they trusted them... so I did it. An actual human sent 
emails asking for a scan of a phone bill with my address on it.
I'm prepaid with T-Mobile, which works for me and I don't get bills.
They didn't accept the screen shots of my T-Mobile account.

This led to a couple more actual human clueful emails and they ended up 
sending me, via registered mail, from Israel, a letter with a token in it
for address verification. This took a few days to receive, but I was 
impressed that they were going through such steps.

Since then, I've issued wildcard and host specific SSL certs for 3 
domains, including https://www.geeklabs.com (if you want to check out the SSL Cert)

I've paid them $59.90 USD so far. I feel guilty. I'm used to paying much 
more to entities that have much less of a clue who is behind the 
certificate request. That actual intelligent humans responded to emails 
had me spinning my head around. Hence this writeup. I hope ya'll consider 
them for your needs also.

So far, everything I have thrown at them seems to work well. PHP, Curl, 
even Java..(Gasp!)

We are starting the process for the Extended Validation Certs. They want a 
lot of paperwork/proof for these, but they are less than $200 for 
something Verisign dumps you into a pricing wizard to calculate a 4+ digit 
number for, and probably has less idea who is behind the certificate. 
Important step for something taking payments for utilities.

Issues:

Firefox does a database lookup on SSL Certs that may take a hours to a day 
to recognize a freshly issued/installed SSL Certificate that Chrome, 
Safari and MSIE do not do by default. I'm suggesting that if this is 
critical is to issue the SSL Cert on the system, but not install it for a 
few hours. It works great once it is in the "OCSP" system.

=============================================================== From: Stephen Kraus ------------------------------------------------------ Nice! I've been needing a cheaper SSL source!

=============================================================== From: James Nylen ------------------------------------------------------ Mike, You have this on your website: It's causing a "This page has insecure content." warning for me in Chrome. If you change it as follows, that should be resolved:

=============================================================== From: Mike Harrison ------------------------------------------------------ James: Thanks, there a few other thing wrong there as well.. I prefer hosting a static version of jQuery. Actually, I'd prefer not using it at all. But it works well with the Bootstrap CSS. The SSL on that website was an experiment, and for accessing some things via basic auth and SSL deeper in the site.