[TriLUG] SSL Certs
dragonstrider at gmail.com
Fri Oct 22 16:20:13 EDT 2004
On Fri, 22 Oct 2004 15:55:42 -0400, Steve Hoffman <srhoffman at gmail.com> wrote:
> Just to be sure, when everyone says hostname, they mean the host
> header and not machine name right? I use hostname/machine name
> interchangably (perhaps incorrectly).
> The machines would be node1.domain.com and node2.domain.com, but the
> app is at app.domain.com which each machine will serve (and nothing
> else)....the app.domain.com is what everyone is referring to when they
> say hostname, right?
Right. The externally resolved host name. I.e. what the user types
into the browser.
> Thanks for all the comments, I did talk to verisign (who's
> outrageously overpriced by the way) and they have a 30 return policy
> so they said I could buy it, then return it for the linux equivalent,
> but that seems like more trouble the it's worth to just wait for the
> new machines, I passed that info on to mgmt and they agreed. So look
> for another post when the new machines get here and I'm pulling my
> hair out trying to get my cert :-)
We did all that hassle, and ended up with a regular 128bit cert from
Thawte. At one point we shifted from Windows to Linux without any
hassles just had to download the different format cert. This was
several years ago, but within the last year I remember seeing that
option. In any case, a local call can give you the answer to this
With that said, it's interesting to note that Thawte is owned by
Verisign, but they seem to be a lot more "fair" in their pricing and
treatment of customers. They also have an office in Raleigh, which is
a plus when validating due dilligence like domain ownership, etc.
If you do go the Thawte route, don't bother with the super certs
unless your application requires 128 bit or better SSL encryption.
Thawte's supercerts supposedly can allow browsers with only 40 bit ssl
support to connect at full 128 bit strength. I have no way to
validate this claim. For this capability you will nearly double the
cost of the cert.
A word of warning to those wishing to use freessl or other
chained-certs, they're incrementally harder to implement because they
require setting up certificate chains on the server. This is why
they're not supported on old browsers (can't follow certificate
chains). Thawte and Verisign do not have this requirement, so are
supported on old browsers as well as modern.
Personal e-mail: jtate AT dragonstrider DOT com
More information about the TriLUG