[TriLUG] SSL Certs

Brian McCullough bdmc at bdmcc-us.com
Fri Oct 22 23:22:47 EDT 2004 

On Fri, Oct 22, 2004 at 04:20:13PM -0400, Joseph Tate wrote:
> On Fri, 22 Oct 2004 15:55:42 -0400, Steve Hoffman <srhoffman at gmail.com> wrote:
> > 
> > Thanks for all the comments, I did talk to verisign (who's
> > outrageously overpriced by the way) and they have a 30 return policy
> > so they said I could buy it, then return it for the linux equivalent,
> > but that seems like more trouble the it's worth to just wait for the
> > new machines, I passed that info on to mgmt and they agreed.  So look
> > for another post when the new machines get here and I'm pulling my
> > hair out trying to get my cert :-)
> > 
> 
> We did all that hassle, and ended up with a regular 128bit cert from
> Thawte.  At one point we shifted from Windows to Linux without any
> hassles just had to download the different format cert.  This was
> 
> With that said, it's interesting to note that Thawte is owned by
> Verisign, but they seem to be a lot more "fair" in their pricing and
> treatment of customers.  They also have an office in Raleigh, which is
> a plus when validating due dilligence like domain ownership, etc.


Unfortunately, they seem to have closed their local office ( was on Six
Forks just up from Staples and Intrex ) and so it's back to 800-land. If
their SSL certificates are anything like their e-mail certificates, you
can download any flavor you like whenever you like, of a particular
certificate.


On the other hand, I might suggest looking into CAcert.org as another
possible alternative.  ( one of the less-expensive version )


Brian

> 
> If you do go the Thawte route, don't bother with the super certs
> unless your application requires 128 bit or better SSL encryption. 
> Thawte's supercerts supposedly can allow browsers with only 40 bit ssl
> support to connect at full 128 bit strength.  I have no way to
> validate this claim.  For this capability you will nearly double the
> cost of the cert.
> 
> A word of warning to those wishing to use freessl or other
> chained-certs, they're incrementally harder to implement because they
> require setting up certificate chains on the server.  This is why
> they're not supported on old browsers (can't follow certificate
> chains).  Thawte and Verisign do not have this requirement, so are
> supported on old browsers as well as modern.
> 
> </beentheredonethat>
> 
> -- 
> Joseph Tate
> Personal e-mail: jtate AT dragonstrider DOT com
> Web: http://www.dragonstrider.com
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list