[TriLUG] SSL Certs
Brian McCullough
bdmc at bdmcc-us.com
Fri Oct 22 23:22:47 EDT 2004
On Fri, Oct 22, 2004 at 04:20:13PM -0400, Joseph Tate wrote:
> On Fri, 22 Oct 2004 15:55:42 -0400, Steve Hoffman <srhoffman at gmail.com> wrote:
> >
> > Thanks for all the comments, I did talk to verisign (who's
> > outrageously overpriced by the way) and they have a 30 return policy
> > so they said I could buy it, then return it for the linux equivalent,
> > but that seems like more trouble the it's worth to just wait for the
> > new machines, I passed that info on to mgmt and they agreed. So look
> > for another post when the new machines get here and I'm pulling my
> > hair out trying to get my cert :-)
> >
>
> We did all that hassle, and ended up with a regular 128bit cert from
> Thawte. At one point we shifted from Windows to Linux without any
> hassles just had to download the different format cert. This was
>
> With that said, it's interesting to note that Thawte is owned by
> Verisign, but they seem to be a lot more "fair" in their pricing and
> treatment of customers. They also have an office in Raleigh, which is
> a plus when validating due dilligence like domain ownership, etc.
Unfortunately, they seem to have closed their local office ( was on Six
Forks just up from Staples and Intrex ) and so it's back to 800-land. If
their SSL certificates are anything like their e-mail certificates, you
can download any flavor you like whenever you like, of a particular
certificate.
On the other hand, I might suggest looking into CAcert.org as another
possible alternative. ( one of the less-expensive version )
Brian
>
> If you do go the Thawte route, don't bother with the super certs
> unless your application requires 128 bit or better SSL encryption.
> Thawte's supercerts supposedly can allow browsers with only 40 bit ssl
> support to connect at full 128 bit strength. I have no way to
> validate this claim. For this capability you will nearly double the
> cost of the cert.
>
> A word of warning to those wishing to use freessl or other
> chained-certs, they're incrementally harder to implement because they
> require setting up certificate chains on the server. This is why
> they're not supported on old browsers (can't follow certificate
> chains). Thawte and Verisign do not have this requirement, so are
> supported on old browsers as well as modern.
>
> </beentheredonethat>
>
> --
> Joseph Tate
> Personal e-mail: jtate AT dragonstrider DOT com
> Web: http://www.dragonstrider.com
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
More information about the TriLUG
mailing list