[TriLUG] Server Certificates and Wild Cards

Mauricio Tavares via TriLUG trilug at trilug.org
Tue Jan 31 11:28:06 EST 2017


On Tue, Jan 31, 2017 at 11:11 AM, Igor Partola via TriLUG
<trilug at trilug.org> wrote:
> Paying more than free for regular TLS (formerly known as SSL) certs should
> now be considered a luxury. I deal with this stuff very frequently and here
> is the breakdown for those who aren't up to date:
>
> Terminology:
>
>  * Regular certs - certs that cover one or more domain names known ahead of
> time.
>  * Wildcard certs - certs that cover all subdomains of a known domain name.
>  * EV certs - certs that cover not just your domain name(s) but also your
> legal entity.
>
> Free regular certs: Let's Encrypt (https://letsencrypt.org/) now provides
> free certs. Tools exist to automatically update these certs, so after your
> initial setup, you will basically never have to renew anything again. This
> is a great option 99% of the time, and you should use it. If your needs are
> simple, check out Caddy (https://caddyserver.com/) which is a web server
> with automatic Let's Encrypt integration. Let me know if you want pointers
> on how to get LE going with nginx.
>
> Paid regular certs: if for whatever reason you like paying money and having
> the hassle of renewing regular certificates on a yearly basis, this is the
> choice for you. If you are paying more than $9/year for these, you are
> getting ripped off. There is NO DIFFERENCE, technical or as far as browser
> support, between a $9/year Namecheap certificate and a $500/year VeriSign
> one (or a free LE one).
>
> Wildcard certs: LE does not (yet) issue wildcard certificates. This is not
> a problem usually since they will issue basically unlimited certificates
> for you, but if you run something like Tumblr.com and want *.tumblr.com to
> always work, you need this. Typical price for this is somewhere in the
> $50-$90 range. Paying more than that doesn't buy you anything at all, just
> like the regular paid certs above.
>
> EV certs: this is a very special case which the CA's try to push. If you go
> this route, the CA will validate not just your domain, but that you are the
> business entity you say you are. The price range for this is high $100s to
> $1000s because of the significant amount of work that goes into this. You
> most likely DO NOT NEED THIS. If you run an online bank or similar, this is
> something to consider. Otherwise, avoid it and save your money.
>
> "But Igor" I hear you say "Let's Encrypt sounds like a single point of
> failure. Are there alternatives?" There used to be. StartTLS used to
> provide free certs before it was cool, and so did the Chinese WoSign.
> Unfortunately, WoSign secretly bought StartTLS, and both have been involved
> in shady behavior. They fell out of favor with the security community and
> should not be used.
>
> Let's Encrypt is backed by some very large players, including the Linux
> Foundation. They are now considered legacy internet infrastructure and lots
> of major websites rely on them. Don't be afraid to use them. I believe soon
> enough competitors that implement the same cert issuance/renewal protocol
> will pop up, but LE is already more than good. Use it.
>
      So, what happened to cacert?

> Igor
> --
> This message was sent to: raubvogel at gmail.com <raubvogel at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome


More information about the TriLUG mailing list