www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - [OT] Good alternative to StartSSL?

reply Nick Sabalausky <SeeWebsiteToContactMe semitwist.com> writes:
Sorry for asking this here, but I'm in a bit of a bind: Anyone know of a 
decent alternative to StartSSL?

They'd been good right up until a few hours ago when they decided to 
screw me over by issuing me a key and cert that didn't match, started 
blaming me for it, all while offering me a nice bait-and-switch of 
$24.90 to revoke the unusable cert they gave me just so I can try my 
luck with their (apparently) unreliable system again. Forget that scam. 
(And I'm handling another domain they're also giving me trouble with, too.)

Any suggestions? Everything else I've ever seen is pretty much priced 
for corporate accounts.
Apr 01 2014
parent reply Martin Nowak <code dawg.eu> writes:
On 04/02/2014 08:34 AM, Nick Sabalausky wrote:
 Sorry for asking this here, but I'm in a bit of a bind: Anyone know of a
 decent alternative to StartSSL?

No free alternative that I know of.
 They'd been good right up until a few hours ago when they decided to
 screw me over by issuing me a key and cert that didn't match, started
 blaming me for it, all while offering me a nice bait-and-switch of
 $24.90 to revoke the unusable cert they gave me just so I can try my
 luck with their (apparently) unreliable system again. Forget that scam.
 (And I'm handling another domain they're also giving me trouble with, too.)

I'm always generating the key myself and only send them the CSR. So far I never had any troubles with StartSSL.
Apr 04 2014
parent Nick Sabalausky <SeeWebsiteToContactMe semitwist.com> writes:
On 4/5/2014 1:54 AM, Martin Nowak wrote:
 On 04/02/2014 08:34 AM, Nick Sabalausky wrote:
 Sorry for asking this here, but I'm in a bit of a bind: Anyone know of a
 decent alternative to StartSSL?

No free alternative that I know of.

Digging around, I found http://www.cacert.org/ which I think I remember being mentioned around here before. But unfortunately it appears they're still working on becoming a trusted root authority, so for now it's not much better than self-signed or expired for the average-Joe site visitor's user experience. I'm definitely going to keep an eye on them though, rooting from the sidelines. I did finally manage to find a $9/yr "Comodo, resold through NameCheap"[1], both of which appear to be reputable companies (actually, I'd already switched my domain registrar to NameCheap about a year or two ago, after 100megs went downhill and got assimilated. First I've heard of Comodo though, but they seem to be a big name). So I got that for my base domain, and although they don't appear to advertize it, they automatically included "www." like StartSSL does, which is nice (although decreasingly important these days). [1] https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
 They'd been good right up until a few hours ago when they decided to
 screw me over by issuing me a key and cert that didn't match, started
 blaming me for it, all while offering me a nice bait-and-switch of
 $24.90 to revoke the unusable cert they gave me just so I can try my
 luck with their (apparently) unreliable system again. Forget that scam.
 (And I'm handling another domain they're also giving me trouble with,
 too.)

I'm always generating the key myself and only send them the CSR. So far I never had any troubles with StartSSL.

Hmm, yea, maybe that would've decreased the likelihood of getting a mismatched cert. They did tell me I generated 3 keys before getting the cert. I *know* that *I* only generated 1, but maybe their system went haywire, generated 3, gave me one but generated a cert for one of the others. I'd never previously had a problem with them, either, and I'd been with them for a few years. But even aside from this technical problem, I'm loosing some trust in them too. While attempting to sort it all out, I had this email exchange with their *CTO*:
On 04/02/2014 10:52 AM, Nick Sabalausky wrote:
 On 4/2/2014 2:55 AM, StartCom CertMaster (Eddy Nigg) wrote:
 On 04/02/2014 08:08 AM, Nick Sabalausky wrote:
 No, I only make *ONE* new key before completing the wizard (anything
 else would have been AFTER I completed the wizard for semitwist.com
 and received the cert). I have *NEVER* discarded ANY key that I
 *actually received*.

Please send me your key and certificate file for review, I'll tell



 of the files is wrong.

Attached.

Thanks! What's the password for the key?

Ordinarily, I wouldn't have sent even the encrypted key file, but by this point I was already figuring on jumping ship and I was curious whether he'd ask for the password. Of course, for all I know, he may have just been using that info to cross-check their logs to (somehow) help them determine what went wrong and planned on any new re-issued cert using a new fresh key. I dunno, maybe I'll bite just to see what happens. I also came across this [potential FUD], although I have no idea how trustworthy it may or may not be: http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_
Apr 05 2014