[TriLUG] Server Certificates and Wild Cards

Tue Jan 31 11:11:29 EST 2017

Paying more than free for regular TLS (formerly known as SSL) certs should
now be considered a luxury. I deal with this stuff very frequently and here
is the breakdown for those who aren't up to date:

Terminology:

 * Regular certs - certs that cover one or more domain names known ahead of
time.
 * Wildcard certs - certs that cover all subdomains of a known domain name.
 * EV certs - certs that cover not just your domain name(s) but also your
legal entity.

Free regular certs: Let's Encrypt (https://letsencrypt.org/) now provides
free certs. Tools exist to automatically update these certs, so after your
initial setup, you will basically never have to renew anything again. This
is a great option 99% of the time, and you should use it. If your needs are
simple, check out Caddy (https://caddyserver.com/) which is a web server
with automatic Let's Encrypt integration. Let me know if you want pointers
on how to get LE going with nginx.

Paid regular certs: if for whatever reason you like paying money and having
the hassle of renewing regular certificates on a yearly basis, this is the
choice for you. If you are paying more than $9/year for these, you are
getting ripped off. There is NO DIFFERENCE, technical or as far as browser
support, between a $9/year Namecheap certificate and a $500/year VeriSign
one (or a free LE one).

Wildcard certs: LE does not (yet) issue wildcard certificates. This is not
a problem usually since they will issue basically unlimited certificates
for you, but if you run something like Tumblr.com and want *.tumblr.com to
always work, you need this. Typical price for this is somewhere in the
$50-$90 range. Paying more than that doesn't buy you anything at all, just
like the regular paid certs above.

EV certs: this is a very special case which the CA's try to push. If you go
this route, the CA will validate not just your domain, but that you are the
business entity you say you are. The price range for this is high $100s to
$1000s because of the significant amount of work that goes into this. You
most likely DO NOT NEED THIS. If you run an online bank or similar, this is
something to consider. Otherwise, avoid it and save your money.

"But Igor" I hear you say "Let's Encrypt sounds like a single point of
failure. Are there alternatives?" There used to be. StartTLS used to
provide free certs before it was cool, and so did the Chinese WoSign.
Unfortunately, WoSign secretly bought StartTLS, and both have been involved
in shady behavior. They fell out of favor with the security community and
should not be used.

Let's Encrypt is backed by some very large players, including the Linux
Foundation. They are now considered legacy internet infrastructure and lots
of major websites rely on them. Don't be afraid to use them. I believe soon
enough competitors that implement the same cert issuance/renewal protocol
will pop up, but LE is already more than good. Use it.

Igor