www.startssl.com better than I thought

[Lazybones]

So I have a domain, I have nginx running and I started to set things up.

The way SSL works if you have one IP you need a certificate that matches all the possible names you will use, a wildcard cert or resort to the not so greatly supported extensions / hacks out there.

So I decided I would go with ssl.mydomain.com and then load it up with folder redirects in nginx.

To my surprise when I setup the cert startssl gave me mydomain.com as a SAN in the cert so for free I now have two valid host names:

ssl.mydomain.com
Mydomain.com

This makes it much easier to setup hosts and avoid conflicts.

[Mr. Analog]

That's pretty kickass, how much are their services?

[Tom]

They have a /free/ ssl cert. If you want the fancy GREEN url bar, that costs $50 and some time verifying your identity.

[Lazybones]

FYI my surprise was that the FREE cert actually contained two names.

They are by far the cheapest CA even for the paid certs.

[Mr. Analog]

Holy smokes!

[Lazybones]

Holy smokes!

FYI SSL is a big scam, it does two things... 1) encrypts traffic, 2) validates that the site is who they say they are. Most people just want 1 but due to scams browsers toss a nasty fit for self signed certs.

The difference between the FREE and PAY certs at STARTSSL are basically what appears in the Cert info dialog box and the features you can enable (more SAN names ore the special browser trust bar).

The free cert basically is validated against the fact that you can read one of the email addresses that appears in WHO is for the domain to validate you are the owner... The cert will have all ID fields blank accept that it was issued by STARTSSL basically.

If you chose a PAY cert they will validate your address and maybe call you to be sure you are who you say you are for the higher level certs.

I am not sure about thought but getting the GREEN browser bar takes a fair amount of documentation in most cases I went through renewing one with THAWTE and they pulled business records and contacted the HR department independently to verified I worked there and my roll before issuing the cert.

I have Transmission and OWNCLOUD now under SSL via NGINX. working on getting my other home services setup that way, should be the ultimate in remote access from locked down PCs since I am using a trusted CERT, HTTPS is allowed almost anywhere and the data is Encrypted.

[Mr. Analog]

You and I know that but to the average user that green bar implies a certain amount of trust.

I mean how often do people actually look at Registrar information on SSL certs they get?

[Lazybones]

You and I know that but to the average user that green bar implies a certain amount of trust.

I mean how often do people actually look at Registrar information on SSL certs they get?

Yep, point being that accept for sites that take your money very few users would care about that Green bar even. So for small projects free TRUSTED certs are super handy.

[Lazybones]

Also start SSL is interesting in how they handle administration.

Instead of a user name and password for the site they issue you a personal CERT you install in your browser and when you connect their application requests a cert to verify who you are..

Odd that I have not seen this with the bigger CAs.

[Tom]

Lose that cert though and you lose access to that account. You then have to sign up again and get them to transfer your certs over to the new account.

[Lazybones]

Lose that cert though and you lose access to that account. You then have to sign up again and get them to transfer your certs over to the new account.

So you make a backup, like it immediately recommends to do when you receive it.

[Tom]

Lose that cert though and you lose access to that account. You then have to sign up again and get them to transfer your certs over to the new account.

So you make a backup, like it immediately recommends to do when you receive it.

@%&# happens, and you know it

[Lazybones]

True and it is also now trivial to store small content like that offsite and encrypted.

[Tom]

Encrypted with what key? And where do you store it? And do you store it encrypted? And if so, with what key?

[Lazybones]

I use a keypass password database encrypted with a strong password stored and replicated via Dropbox . It supports file attachments so I keep a copy of the cert and its pass phase in there.

If all my client PCs are wiped out I just download keypass again (keep a copy in Dropbox just in case) mount my database and re-install the cert.

[Melbosa]

KeePass is handy for that.  I've also used LastPass and at my client sites I've been using TeamPass in a VM.  All great products!!!!

[Tom]

I use a keypass password database encrypted with a strong password stored and replicated via Dropbox . It supports file attachments so I keep a copy of the cert and its pass phase in there.

If all my client PCs are wiped out I just download keypass again (keep a copy in Dropbox just in case) mount my database and re-install the cert.

But how to you protect against the keepass db being lost or accessed? Gotta keep it in other locations, and secure it with more encryption!

[Lazybones]

Keepass databases are very secure and can take a very long passphase.

Dropbox leaves a copy of your DB local and in Dropbox.  It is unlikely you would loose access to both at the same time and also suffer a disaster event at te same time. Most of what I have in Dropbox is recoverable by some form of reset which is inconvenient   

Remember the suggestion was to have a way to recover your personal cer which will also be in your browser or OS key store for daily use.  You would have to loose your local key store, local Dropbox and online Dropbox all at the same time to have lost the key for good.

[Lazybones]

So I logged in to renew my cert (personal key for the site worked perfectly) and screwed up during the signing process loosing private key.. Turns out there is a $24 USD revocation fee on the free certs...

It is actually cheaper for me to pay for a new cert with unlimited revoke from another provider than to revoke my free one... BOO so much for free.

Guess I will use the fairly cheap basic SSL service from domainsatcost.ca .

[Melbosa]

Company has to make monies somehow

[Lazybones]

Company has to make monies somehow

If their revoke fee is higher than the UNLIMITED revoke that comes with a new service offered by MANY competitors they are doing it wrong.  If revoke was cheaper than a full cert (elsewhere) I would have just revoked. IE this actually cost them money as their PAY service is more expensive than many others.

[Melbosa]

Whatever... they are still in business so they have to be doing something that people pay for .  At least you found out why to go somewhere else .

[Lazybones]

Whatever... they are still in business so they have to be doing something that people pay for .  At least you found out why to go somewhere else .

Point was they failed on conversion which is a major topic in retail and online business. If they where smart they would have had an automatic option that on the free service the revoke link triggers a one time promo code to get FULL service CHEAP, thus getting money, and drastically increasing the chance I would just renew with them in the future.

Amazon and several other online retailers to a great job of this.

[Tom]

I find their setup is just annoying enough to just make me buy a cert from namecheap.