Where to get my SSL Certificate

[Q™]

I'd like to install an SSL Certificate on our server and I don't know the first thing about the process, but I'd like to start with where the "best place" might be for me to purchase the certificate.

I know. Another "what's the best..." post. But I gotta start some where, eh?

 

[nayr]

for a signed cert trusted by all the browsers, you gotta have a domain on your server thats registered to you..

otherwise, create your own Certificate Authority, Generate your own Certificates, and install your CA on your devices.. I like using XCA for managing my own Certificate Authority.

 

[Q™]

Thanks @nayr. I'm just beginning to understand this stuff; much appreciated.

 

[rotorwash]

If you need the SSL certificate for encryption only, you can go the route nayr suggests, or google "self signed certificates" or "openssl". You can create your own for free. If you need both encryption and identity verification (public facing site), a good place to start might be https://www.startssl.com. You can get an SSL certificate for free from them. They are pretty easy to use and you can start experimenting right off the bat.

 

[rotorwash]

This site provides some reviews for public Certificate Authorities (CA): https://www.sslshopper.com/certificate-authority-reviews.html Verisign used to be the gold standard, but they were purchased by Symantec. Back in May there was some noise about their misuse of their signing authority to sign an Intermediate CA cert given to BlueCoat, giving them the ability to snoop on encrypted traffic as a man-in-the-middle. They since purchased BlueCoat as well. At $400 bucks a year, I'm not sure the "gold standard" is worth it for a home server.

If you like to read, check out the book "Bulletproof SSL and TLS" by Ivan Ristic.

 

[nayr]

startssl is about to get there asses revoked from Chrome; surprised you recommended em.

http://www.csoonline.com/article/31...untrust-wosign-and-startcom-certificates.html

Self Generated Certs can easially be more secure than any paid certificates when you are your own audience; the only reason to buy 3rd party certs is if your trying to convince the general public you are whom you claim to be.

If its a service/network that you are using exclusively; you can trust your own CA alot more than say one in iran issuing a cert for your server.

 

[Q™]

Well, as I learn more I reralize that I do need to public certificate from a trusted certificate authority. Any recommendations besides StartSSL.com? (thanks for the info BTW @rotowash...sincerely appreciated bro!)

How about https://www.digicert.com? Not too expensive...not too cheap...and I read some good reviews on SSLShopper (which I'm not certain are legitimate).

 

[bp2008]

This one is free and popular, though the certificates expire after 90 days and need to be renewed, which means you need to have automated renewals or it is a pain in the butt.

https://letsencrypt.org/

 

[Q™]

Thanks Brian...I believe that I'd prefer to pay a certificate authority yearly.

 

[Mike]

I get all my certificates from https://safecloudservers.com , including the one here on IPCT.

 

[rotorwash]

startssl is about to get there asses revoked from Chrome; surprised you recommended em.

http://www.csoonline.com/article/31...untrust-wosign-and-startcom-certificates.html

Self Generated Certs can easially be more secure than any paid certificates when you are your own audience; the only reason to buy 3rd party certs is if your trying to convince the general public you are whom you claim to be.

If its a service/network that you are using exclusively; you can trust your own CA alot more than say one in iran issuing a cert for your server.

This is good to know. I have not used them in a year or two. Thanks for the education!

 

[h901]

Is this related to CCTV, or just generally?

If for CCTV what way would you use this

 

[jasauders]

I use NameCheap. They seem to work -- haven't had any issues. Support was decent as well when I used it. I went with NameCheap mostly because I already had my domain registered through them and utilize DDNS with them.

If this was strictly for CCTV, I'd look into generating your own certs. All that happens upon connecting for the first time on a device is a warning about trusting the source. The only reason I went with a CA is because I have a web server with Nextcloud running on my LAN (think Dropbox, except I own it with no monthly costs and my storage is limited only by what drives I shove in the server). I've found an alarming amount of use for it, so I pay the few-bucks-a-year for the CA cert to keep the self-signed cert warning at bay for folks who connect that aren't me (friends, family, a local business I work with for ease of uploading items to me for managing their site, etc). The bonus is this works with my CCTV setup by default given I already had this set up before even adding CCTV into the mix.

I don't have much experience with other CA's though, but best I can say is NameCheap hasn't given me much reason to look into moving elsewhere.

 

[ksl10]

I use Symantec SSL formerly VeriSign at my last job. SSL Certificates by Symantec, formerly from VeriSign. Secure your Website with Symantec SSL Certificates and Extended Validation | Symantec. VeriSign was leader in issuing web certificates. The big companies are Symantec Comodo and GoDaddy.