On the heals of some of the most productive conversation I've seen on NANOG in ages, let me try another topic! I suspect most people on NANOG are in the same boat that I'm in, we operate some small number of domains for ourselves, friends, family, and projects we like. I suspect many of us are also security conscious and would like to use encryption as often as possible. Unfortunately to communicate with random folks on the Internet you need an "SSL Certificate" signed by a "Trusted Root". Ok, we can argue about that, but that's what I'm going to assume for my question. That could be a cert for a web server, a mail server, a jabber server, or even a personal e-mail certificate. What I've found is a few classes of service: - Totally free, but the Root CA is not well distributed (or other issues). - Free for "one" (perhaps one web, one e-mail) on a well distributed CA, major upcharge for more. - Services for businesses designed for maintaining multiple domains and certs starting at $high and ending at $crazy. I am _not_ looking for a free only alternative, but I am looking for a fee structure and price that makes _personal_ use economically workable. I'd love to support community based efforts, but the reality is random folks will be accessing my web site, sending me e-mail, etc, so I want certs that are signed by root certs that ship with OSX/Windows/Linux, they should "just validate". I also do not require "EV" certificates, although being able to get one for an upcharge might be nice. Are there any providers that target someone with my desires? What providers do NANOG folks use for their _personal_ needs? -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
I use these guys: http://www.cheapssls.com/ They sell Geotrust and Comodo certs for under $10/yr. The hassle level is quite low. First you order a cert providing the usual billing info, then you go to their web site, pick the order you just paid for, go to a screen where you paste in your signing request, and pick which e-mail address to send the confirmation message to. Click a URL in the confirmation message and the signed cert shows up in a few minutes. The certs are chained, but I've had no acceptance problems once I realized I had to to add an extra Apache config line to serve the intermediate cert. If you get a Comodo cert for example.com, it'll also work for www.example.com. Other than that, they seem to be equivalent. If you just want something for testing, http://freessl.com/ will provide a real 30 day Geotrust cert for free, with similarly low hassle. At the end of the 30 days, you can renew the cert into a paid one at cheapssls or any other Geotrust reseller. I realize there are places that will provide totally free certs, but their hassle level is far greater. For $24 I can get a Comodo cert that will make my SSL complaints go away for three years, which seems like a bargain to me. R's, John
I use http://www.startssl.com/ for all my personal certifcates. I have not had any issues with the validations (once you have an account you can validate a domain by sending an email to a predefined list of contact addresses) and the certificates are issued instantly. On Sat, Feb 18, 2012 at 11:32 AM, John Levine <johnl@iecc.com> wrote:
I use these guys: http://www.cheapssls.com/
They sell Geotrust and Comodo certs for under $10/yr. The hassle level is quite low. First you order a cert providing the usual billing info, then you go to their web site, pick the order you just paid for, go to a screen where you paste in your signing request, and pick which e-mail address to send the confirmation message to. Click a URL in the confirmation message and the signed cert shows up in a few minutes. The certs are chained, but I've had no acceptance problems once I realized I had to to add an extra Apache config line to serve the intermediate cert.
If you get a Comodo cert for example.com, it'll also work for www.example.com. Other than that, they seem to be equivalent.
If you just want something for testing, http://freessl.com/ will provide a real 30 day Geotrust cert for free, with similarly low hassle. At the end of the 30 days, you can renew the cert into a paid one at cheapssls or any other Geotrust reseller.
I realize there are places that will provide totally free certs, but their hassle level is far greater. For $24 I can get a Comodo cert that will make my SSL complaints go away for three years, which seems like a bargain to me.
R's, John
toor (lists) writes:
I use http://www.startssl.com/ for all my personal certifcates. I have not had any issues with the validations (once you have an account you can validate a domain by sending an email to a predefined list of contact addresses) and the certificates are issued instantly.
"Your request is being held up for review by our personnel". Up to 6 hours. Must be their definition of instant :) Cheers, Phil
On Sat, 18 Feb 2012 14:27:05 +0100 Phil Regnauld <regnauld@nsrc.org> wrote:
toor (lists) writes:
I use http://www.startssl.com/ for all my personal certifcates. I have not had any issues with the validations (once you have an account you can validate a domain by sending an email to a predefined list of contact addresses) and the certificates are issued instantly.
"Your request is being held up for review by our personnel".
Up to 6 hours. Must be their definition of instant :)
It's nice to see that they actually do random reviews, rather than just issuing everything requested. I use startssl and have not had anything held for review.
Cheers, Phil
-- John
John Peach (john-nanog) writes:
"Your request is being held up for review by our personnel".
Up to 6 hours. Must be their definition of instant :)
It's nice to see that they actually do random reviews, rather than just issuing everything requested. I use startssl and have not had anything held for review.
And I did get my account and cert shortly after. So they are quick. On the other hand, I'm not sure I'd trust a cert where they happen to be the ones generating the key and the CSR themselves. Yes, it's free, but that doesn't mean I want to give up all forms of security :) Cheers, Phil
On Sat, Feb 18, 2012 at 11:37 AM, Phil Regnauld <regnauld@nsrc.org> wrote:
John Peach (john-nanog) writes:
"Your request is being held up for review by our personnel".
Up to 6 hours. Must be their definition of instant :)
It's nice to see that they actually do random reviews, rather than just issuing everything requested. I use startssl and have not had anything held for review.
And I did get my account and cert shortly after. So they are quick.
On the other hand, I'm not sure I'd trust a cert where they happen to be the ones generating the key and the CSR themselves. Yes, it's free, but that doesn't mean I want to give up all forms of security :)
<http://goo.gl/thGxC> (sorry, the blog's url is stupid and long) use your own key materials and gen your own csr ... silly simple.
Cheers, Phil
On 18/02/2012, at 19.58, Christopher Morrow <morrowc.lists@gmail.com> wrote:
<http://goo.gl/thGxC> (sorry, the blog's url is stupid and long)
use your own key materials and gen your own csr ... silly simple
Yep someone else pointed me to this off list. Very useful - thanks! Cheers Phil
On Sat, Feb 18, 2012 at 10:44 AM, John Peach <john-nanog@johnpeach.com> wrote:
On Sat, 18 Feb 2012 14:27:05 +0100 Phil Regnauld <regnauld@nsrc.org> wrote:
toor (lists) writes:
I use http://www.startssl.com/ for all my personal certifcates. I have not had any issues with the validations (once you have an account you can validate a domain by sending an email to a predefined list of contact addresses) and the certificates are issued instantly.
"Your request is being held up for review by our personnel".
Up to 6 hours. Must be their definition of instant :)
It's nice to see that they actually do random reviews, rather than just issuing everything requested. I use startssl and have not had anything held for review.
I've had most of mine held, but almost always I get a response in side of 20 mins. Really, what I care about here is: 1) cert validates in almost all clients (mozilla/chrome/mail.app) 2) controlled/secured by my key, not something made up on the server side 3) not paying money for random bytes. it works and eddy's pretty quick on requests. -chris
Cheers, Phil
-- John
Greetings I'll +1 Chris's experience with startssl On 18Feb2012, at 10.57, Christopher Morrow wrote:
On Sat, Feb 18, 2012 at 10:44 AM, John Peach <john-nanog@johnpeach.com> wrote:
On Sat, 18 Feb 2012 14:27:05 +0100 Phil Regnauld <regnauld@nsrc.org> wrote:
toor (lists) writes:
I use http://www.startssl.com/ for all my personal certifcates. I have not had any issues with the validations (once you have an account you can validate a domain by sending an email to a predefined list of contact addresses) and the certificates are issued instantly.
"Your request is being held up for review by our personnel".
Up to 6 hours. Must be their definition of instant :)
It's nice to see that they actually do random reviews, rather than just issuing everything requested. I use startssl and have not had anything held for review.
I've had most of mine held, but almost always I get a response in side of 20 mins. Really, what I care about here is: 1) cert validates in almost all clients (mozilla/chrome/mail.app) 2) controlled/secured by my key, not something made up on the server side 3) not paying money for random bytes.
it works and eddy's pretty quick on requests.
-chris
Cheers, Phil
-- John
-- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf
Are there any providers that target someone with my desires? What providers do NANOG folks use for their _personal_ needs?
none at all, we choose NOT to make ourselves dependant on external suppliers as far as posibble and this includes NOT having SSL which is lacky in encryption, as well as overal security (bufferoverflows and what not) anyway, as well as "external parties" having YOUR keys. (whomever came up with that idea must work for some other government or have been on crack ;) in short: no go, just encrypt your layer 2/3 if you don't trust the "way there" with a mechanism of your own, not supplied by un screened third parties (quite sure verybad notwork solution is full of cia spies, but we have none of ours in there, so screw them ;)
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
I received a number of interesting replies, most off-list, so I thought I would summarize and perhaps restart the discussion. Many folks pushed the "run your own CA" idea. While I get that works, and even secures the communication, if you run a web site accessed by random folks it will confuse some percentage of them. StartCom (www.startssl.com) seems to be the only 100% free option, with a few limitations. You must own your own domain (for instance they validate your e-mail based on the ones listed in whois), and the certs have the Organization set to "Persona not validated". This doesn't prevent the certs from working fine and "locking the padlock", but if someone looks at it may raise an eyebrow. Still, it's free, you can generate a personal cert for e-mail and certs for web, smtps, jabber, etc. Multiple certs are no problem. For 100% free, it's the only option anyone has mentioned. From there, you can move up to "cheap" with a couple of options. With StartCom a $60 upcharge will verify a _person_. From that you can generate unlimited certs for the domains you own, a pricing model I think is really nice. They are good for 2 years, although the verification is only good for 1 year. So it's $60 every 2 years if you're not doing any new cert issues in that time, or $60 every year if you are; but the lack of a per-cert charge makes this a pretty good deal if you run a bunch of domains. In the per-cert realm, both CheapSSL.COM ($8.95/cert/year) and RapidSSL ($49/cert/3year) offer relatively cheap per-cert pricing for one and three year certs, respectively. Depending on needs these may be cheaper or more expensive than StartCom. I am personally trying out the StartCom free for S/MIME, HTTPS, SMTPS, and IMAPS right now, and they are working quite nicely thus far. If the testing goes well with all clients I may upgrade to their verified product. One last interesting idea that's not quite ready for prime time. There's an IETF working group called DANE which has code in Chrome: https://datatracker.ietf.org/wg/dane/ The idea is pretty simple, DNSSEC sign your zones, and then publish your own key material in DNS. By doing this there is no need for a CA at all, which eliminates not only cost but the trust and security issues with the CA's. Of course it moves the trust and security to DNS, but at least two folks argued that DNS (management) has proved more secure than CA's, and at least here were fewer players to audit and trust. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
participants (8)
-
Christopher LILJENSTOLPE
-
Christopher Morrow
-
John Levine
-
John Peach
-
Leo Bicknell
-
Phil Regnauld
-
Sven Olaf Kamphuis
-
toor