From owner-freebsd-hackers Wed Feb 5 12:22:44 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8862A37B401 for ; Wed, 5 Feb 2003 12:22:42 -0800 (PST) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B05A43F85 for ; Wed, 5 Feb 2003 12:22:41 -0800 (PST) (envelope-from langd@informatik.tu-muenchen.de) Received: from mailrelay2.informatik.tu-muenchen.de (mailrelay2.informatik.tu-muenchen.de [131.159.254.8]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id DAE83627B; Wed, 5 Feb 2003 21:22:39 +0100 (MET) Received: from atrbg11.informatik.tu-muenchen.de (atrbg11.informatik.tu-muenchen.de [131.159.42.129]) by mailrelay2.informatik.tu-muenchen.de (Postfix) with ESMTP id B596C473F2; Wed, 5 Feb 2003 21:22:39 +0100 (MET) Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455) id 56FEE138AD; Wed, 5 Feb 2003 21:22:39 +0100 (CET) Date: Wed, 5 Feb 2003 21:22:39 +0100 From: Daniel Lang To: Josef Karthauser Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Anyone where to get a signed SSL certificate cheap? Message-ID: <20030205202239.GA19957@atrbg11.informatik.tu-muenchen.de> References: <20030205181724.GB87471@genius.tao.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030205181724.GB87471@genius.tao.org.uk> X-Geek: GCS/CC d-- s: a- C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w--- O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++ h---(-) r++>+++ y+ User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Joe, Josef Karthauser wrote on Wed, Feb 05, 2003 at 06:17:24PM +0000: > I know that this is slightly off topic, but maybe someone here could > advise me. > > I need to obtain a certificate to use on my openssl/apache web server, > but looking at Verisign and Thawte it appears that they're charging a > lot of money ($450) per year for one! Does anyone know where I can get > one cheaper? Last time I bought I'm sure that they were only $100/yr [..] > p.s. yes, I know that I could self-sign, but this is for an ecommerce > system and I'd prefer our customer's customers not to have to ask > themselves why the certificate is in our name and not our customer's! :) [..] Ok, you got some opinions already. Here is my suggestion. Why not create a Root CA. VeriSign is no way trustworthier than your company. True, their certificate is part of many browsers by default, but that need not be such a killing argument. My suggestion: - Create a Root CA - For your Customer: create a CA for your Customer, signed by your Root CA. - Create certificates signed by the Customer CA. Of Course The CA certificates (of both Root and Customer CA) need be imported into browsers, but that is not such a big problem. The DER format can be directly imported into the browser by just clicking on a corresponding link. You could provide such links on the eCommerce-Systems entrance page. - Advantages: * The certificate would be signed in behalf of your customer (und just their certificate would be signed by you, but your customer's customers wouldn't probably notice). * The costs are not per year but once for the effort to set the things up. * You can create more certificates and even additional CAs with no extra expenses. - Disadvantages: * End-Customers may need to import the CA certificates into their browser. * They may be ignorant and "trust" a $BIG_CERTIFICATE_COMPANY more than you, but there is no real reason for that. So just some food for thought, I guess. :-) Best regards, Daniel -- IRCnet: Mr-Spock - ceterum censeo Microsoftinem esse delendam - *Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message