Hi Joe, Josef Karthauser wrote on Wed, Feb 05, 2003 at 06:17:24PM +0000: > I know that this is slightly off topic, but maybe someone here could > advise me. > > I need to obtain a certificate to use on my openssl/apache web server, > but looking at Verisign and Thawte it appears that they're charging a > lot of money ($450) per year for one! Does anyone know where I can get > one cheaper? Last time I bought I'm sure that they were only $100/yr [..] > p.s. yes, I know that I could self-sign, but this is for an ecommerce > system and I'd prefer our customer's customers not to have to ask > themselves why the certificate is in our name and not our customer's! :) [..]
Ok, you got some opinions already. Here is my suggestion. Why not create a Root CA. VeriSign is no way trustworthier than your company. True, their certificate is part of many browsers by default, but that need not be such a killing argument. My suggestion: - Create a Root CA - For your Customer: create a CA for your Customer, signed by your Root CA. - Create certificates signed by the Customer CA. Of Course The CA certificates (of both Root and Customer CA) need be imported into browsers, but that is not such a big problem. The DER format can be directly imported into the browser by just clicking on a corresponding link. You could provide such links on the eCommerce-Systems entrance page. - Advantages: * The certificate would be signed in behalf of your customer (und just their certificate would be signed by you, but your customer's customers wouldn't probably notice). * The costs are not per year but once for the effort to set the things up. * You can create more certificates and even additional CAs with no extra expenses. - Disadvantages: * End-Customers may need to import the CA certificates into their browser. * They may be ignorant and "trust" a $BIG_CERTIFICATE_COMPANY more than you, but there is no real reason for that. So just some food for thought, I guess. :-) Best regards, Daniel -- IRCnet: Mr-Spock - ceterum censeo Microsoftinem esse delendam - *Daniel Lang * [EMAIL PROTECTED] * +49 89 289 18532 * http://www.leo.org/~dl/* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message