[OT] Good alternative to StartSSL?

Sat Apr 5 14:57:53 PDT 2014

On 4/5/2014 1:54 AM, Martin Nowak wrote:
> On 04/02/2014 08:34 AM, Nick Sabalausky wrote:
>> Sorry for asking this here, but I'm in a bit of a bind: Anyone know of a
>> decent alternative to StartSSL?
>
> No free alternative that I know of.

Digging around, I found http://www.cacert.org/ which I think I remember 
being mentioned around here before. But unfortunately it appears they're 
still working on becoming a trusted root authority, so for now it's not 
much better than self-signed or expired for the average-Joe site 
visitor's user experience. I'm definitely going to keep an eye on them 
though, rooting from the sidelines.

I did finally manage to find a $9/yr "Comodo, resold through 
NameCheap"[1], both of which appear to be reputable companies (actually, 
I'd already switched my domain registrar to NameCheap about a year or 
two ago, after 100megs went downhill and got assimilated. First I've 
heard of Comodo though, but they seem to be a big name).

So I got that for my base domain, and although they don't appear to 
advertize it, they automatically included "www." like StartSSL does, 
which is nice (although decreasingly important these days).

[1] 
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx

>>
>> They'd been good right up until a few hours ago when they decided to
>> screw me over by issuing me a key and cert that didn't match, started
>> blaming me for it, all while offering me a nice bait-and-switch of
>> $24.90 to revoke the unusable cert they gave me just so I can try my
>> luck with their (apparently) unreliable system again. Forget that scam.
>> (And I'm handling another domain they're also giving me trouble with,
>> too.)
>
> I'm always generating the key myself and only send them the CSR.
> So far I never had any troubles with StartSSL.

Hmm, yea, maybe that would've decreased the likelihood of getting a 
mismatched cert. They did tell me I generated 3 keys before getting the 
cert. I *know* that *I* only generated 1, but maybe their system went 
haywire, generated 3, gave me one but generated a cert for one of the 
others.

I'd never previously had a problem with them, either, and I'd been with 
them for a few years. But even aside from this technical problem, I'm 
loosing some trust in them too. While attempting to sort it all out, I 
had this email exchange with their *CTO*:

 >On 04/02/2014 10:52 AM, Nick Sabalausky wrote:
 >> On 4/2/2014 2:55 AM, StartCom CertMaster (Eddy Nigg) wrote:
 >>>
 >>>
 >>> On 04/02/2014 08:08 AM, Nick Sabalausky wrote:
 >>>> No, I only make *ONE* new key before completing the wizard (anything
 >>>> else would have been AFTER I completed the wizard for semitwist.com
 >>>> and received the cert). I have *NEVER* discarded ANY key that I
 >>>> *actually received*.
 >>>
 >>> Please send me your key and certificate file for review, I'll tell 
which
 >>> of the files is wrong.
 >>>
 >>
 >> Attached.
 >>
 >
 >Thanks! What's the password for the key?

Ordinarily, I wouldn't have sent even the encrypted key file, but by 
this point I was already figuring on jumping ship and I was curious 
whether he'd ask for the password.

Of course, for all I know, he may have just been using that info to 
cross-check their logs to (somehow) help them determine what went wrong 
and planned on any new re-issued cert using a new fresh key. I dunno, 
maybe I'll bite just to see what happens.

I also came across this [potential FUD], although I have no idea how 
trustworthy it may or may not be:
http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_