I need to purchase a multiple domain SSL certificate for a client who will be implementing two online shops with their own credit card processing (probably PayPal or Authorize.net). Must be Level 4 PCI compliant.

This question is more about opinions and experiences. It has been a while since I had to deal with SSL's and wondering what you fine Linoders would recommend or what has been your best experiences in this area.

Much appreciated.

I'd definitely suggest setting up a system where no card data is stored or transits the Linodes. You can't, IMO, really claim PCI compliance in a shared (even VPS) hosting environment. See also viewtopic.php?t=5622


While this represents only a sample size of 1, since to be honest I haven't used other commercial CAs, for myself I recently needed a certificate from a recognizable CA (all my other uses to date have been self-signed for internal/franchise sites) and have had good results with StartSSL.

I have to admit to finding the whole commercial CA world - and some of the prices charged - a bit annoying in terms of paying for something that yields no better security than a self-signed certificate, but just to avoid a browser warning. And yeah, I know that's not a completely fair characterization, but...

Anyway, I like StartSSL's model of charging for the verification step, but not for each individual certificate issued, since I believe that fairly represents where the overhead/value is. Not much different for a single certificate but way better if you need to issue even a few. They also have a free Level 1 verification, but that only gives out single host (plus parent domain) certificates so probably not suitable for your case unless the shops can be on different IP addresses.

-- David

Actually, I perhaps I did not need as much, though I have to say, in the past I made at least 3 or 4 online shops for clients in their Westhost 3.0 VPS accounts without an issue for years.

I think for these clients, even if they use high level of sales, the 3rd party processor is all that is needed. so maybe no PCI-compliant. But I still the SSL anyways.

Thanks for that link. It was extremely informative.

You can get a basic ssl certificate from comodo for pretty cheap http://www.positivessl.com/

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

All I want to say about this ssl cert business is AHHHHHHHHHHHHHHHH


Is there any REAL difference other than money out of my pocket between; www.rapidssl.com ($50/yr), www.positivessl.com ($10/yr) or Comodo's instant ssl for $70/yr and www.startssl.com (FREE)?

Is one better than the other? Do chained certs make any difference in anything?

In terms of actual security of the data stream, no. And in terms of user experience, I think those examples are also no. There's some user difference with the EV certificates in terms of the address bar, but I have a hard time paying for that.

Other than actual security there can be differences in how you're allowed to configure the certificates (e.g., ucc or alternate names vs. single name, etc..) but none of that affects the actual data security, though it may make it easier to use a single certificate across multiple servers, or on a single server for multiple domains.

BTW, an important note on the above pricing. I believe other than StartSSL the other prices are all per certificate, so even if you pay up for the next level of StartSSL ($60 I think) that's for an unlimited number of certificates each year (or 2, since I think they have 2 year expirations).


As long as the parent of the chain is in the browsers, and you configure your server to send back the full chain, shouldn't be any difference.

You do care if the top level authority is in browsers or not, so should check compatibility at that level (most CAs publish this and/or I think there are some independent sites you can check) and that, to me, is the primary value in paying for a certificate, to get that coverage. CAs that have been around longer may have a leg up in coverage, but I don't think there's any significant difference in the above set in that regard at this point.

-- David

Indeed. The whole system reminds me of airport security, it's the illusion of security though inconvenience. The whole thing is BAD ( broken as designed. )

Where I can't use self signed certs I choose whoever is cheapest and test the certificate on every OS and browser I can find.

I use comodo positive ssl when self signed won't do. $10, and comodo's support isn't bad either, I've had issues with verifying domain ownership with startssl which is why I pay the $10.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I just want to pop my head in and share an experience I had:

Depending on how you plan on using your certificate you need to be aware that various programming languages/environments might not be compatible with the cheaper SSLs without tweaking.

I ran into a very big issue where the default JVM on a remote server I had to use did not accept my cheap SSL certificate, and it was a bureaucratic and maintenance nightmare to try to patch it in (and keep it patched in after their server upgrades).

Long story short, I ended up paying a lot more money for a verisign certificate, just because I knew it would be accepted by the JVM.

Yes, as with any application you have no control over (such as browsers in this thread, or the remote server in your case), it's important to know that the authority you are using is trusted. I don't agree with characterizing this simply as a pricing issue, as it's more a question of what authorities were preloaded into the code in question, which need not have any correlation to the prices charged by that authority, instead likely having a higher correlation to age of the authority.

I'm a little surprised you ran into difficulty if you did have access to the server, since installing an authority into the JVM's keystore should easily survive upgrades, but I don't doubt there was some issue causing you problems, and if you knew Verisign was preloaded as an authority then clearly that was a better choice in your case. But the key was that Verisign was preloaded in your specific environment, independent of their price.

Certainly in the context of browsers, similar coverage can be obtained today from authorities all across the pricing range.

-- David

I recently purchased RapidSSL WildCard from http://mycheapssl.com/RapidSSLWC.html

and I wondered how they can sell them so cheap, and they explained how they deal with significant volume of SSL as a reseller and pass the discounts to us directly to an end user like me.

I am really happy with the SSL as well the service and discounted price I got.

I think you should try them, they are good and cheap

I do believe that I can smell spam.

_________________
/ Peter

Spam fritters! And for anyone really thinking of following that link, you can find cheaper else where (name cheap, 123 reg, name.com just to name a few)

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue