On 4/5/2014 1:54 AM, Martin Nowak wrote:
On 04/02/2014 08:34 AM, Nick Sabalausky wrote:
Sorry for asking this here, but I'm in a bit of a bind: Anyone know of a
decent alternative to StartSSL?
No free alternative that I know of.
Digging around, I found http://www.cacert.org/ which I think I remember
being mentioned around here before. But unfortunately it appears they're
still working on becoming a trusted root authority, so for now it's not
much better than self-signed or expired for the average-Joe site
visitor's user experience. I'm definitely going to keep an eye on them
though, rooting from the sidelines.
I did finally manage to find a $9/yr "Comodo, resold through
NameCheap"[1], both of which appear to be reputable companies (actually,
I'd already switched my domain registrar to NameCheap about a year or
two ago, after 100megs went downhill and got assimilated. First I've
heard of Comodo though, but they seem to be a big name).
So I got that for my base domain, and although they don't appear to
advertize it, they automatically included "www." like StartSSL does,
which is nice (although decreasingly important these days).
[1]
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
They'd been good right up until a few hours ago when they decided to
screw me over by issuing me a key and cert that didn't match, started
blaming me for it, all while offering me a nice bait-and-switch of
$24.90 to revoke the unusable cert they gave me just so I can try my
luck with their (apparently) unreliable system again. Forget that scam.
(And I'm handling another domain they're also giving me trouble with,
too.)
I'm always generating the key myself and only send them the CSR.
So far I never had any troubles with StartSSL.
Hmm, yea, maybe that would've decreased the likelihood of getting a
mismatched cert. They did tell me I generated 3 keys before getting the
cert. I *know* that *I* only generated 1, but maybe their system went
haywire, generated 3, gave me one but generated a cert for one of the
others.
I'd never previously had a problem with them, either, and I'd been with
them for a few years. But even aside from this technical problem, I'm
loosing some trust in them too. While attempting to sort it all out, I
had this email exchange with their *CTO*:
>On 04/02/2014 10:52 AM, Nick Sabalausky wrote:
>> On 4/2/2014 2:55 AM, StartCom CertMaster (Eddy Nigg) wrote:
>>>
>>>
>>> On 04/02/2014 08:08 AM, Nick Sabalausky wrote:
>>>> No, I only make *ONE* new key before completing the wizard (anything
>>>> else would have been AFTER I completed the wizard for semitwist.com
>>>> and received the cert). I have *NEVER* discarded ANY key that I
>>>> *actually received*.
>>>
>>> Please send me your key and certificate file for review, I'll tell
which
>>> of the files is wrong.
>>>
>>
>> Attached.
>>
>
>Thanks! What's the password for the key?
Ordinarily, I wouldn't have sent even the encrypted key file, but by
this point I was already figuring on jumping ship and I was curious
whether he'd ask for the password.
Of course, for all I know, he may have just been using that info to
cross-check their logs to (somehow) help them determine what went wrong
and planned on any new re-issued cert using a new fresh key. I dunno,
maybe I'll bite just to see what happens.
I also came across this [potential FUD], although I have no idea how
trustworthy it may or may not be:
http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_
