Buying an SSL certificate

By Abhijit Menon-Sen <ams@toroid.org>

2012-02-29

The downside of always using SSL for web sites that require authentication is the need to buy SSL certificates. I usually don't need anything stronger than "domain validation" (which assures you that you're talking to the server you think you're talking to, but says nothing about how trustworthy that server may be). I'm not a fan of the current PKI, but there are now many more choices for cheap SSL certificates than there were a few years ago.

The last time I bought a "proper" certificate was early last year, when I upgraded the FreeSSL 30-day trial certificate I was using in development to a RapidSSL certificate for production. That was fast and painless, and cost about $40. (I've also used RapidSSL a few years before that.)

Recently, I learned that Namecheap (to whom I have now transferred all my domains from GoDaddy) is a reseller for various SSL certificate providers, including GeoTrust (the CA behind RapidSSL). Their pricing is very attractive, and I ordered a three-year RapidSSL certificate for $9.95/year today. That was fast and painless too (and it didn't include the phone verification step that my earlier RapidSSL purchases did).

I'm happy with RapidSSL so far, but I still look forward to the day when I can distribute encryption-only certificates through the DNS.