Where to get my SSL Certificate

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
I'd like to install an SSL Certificate on our server and I don't know the first thing about the process, but I'd like to start with where the "best place" might be for me to purchase the certificate.

I know. Another "what's the best..." post. But I gotta start some where, eh?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
for a signed cert trusted by all the browsers, you gotta have a domain on your server thats registered to you..

otherwise, create your own Certificate Authority, Generate your own Certificates, and install your CA on your devices.. I like using XCA for managing my own Certificate Authority.
 

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
Thanks @nayr. I'm just beginning to understand this stuff; much appreciated.
 
Last edited by a moderator:

rotorwash

Getting the hang of it
Joined
Aug 22, 2016
Messages
103
Reaction score
20
Location
NE PA
If you need the SSL certificate for encryption only, you can go the route nayr suggests, or google "self signed certificates" or "openssl". You can create your own for free. If you need both encryption and identity verification (public facing site), a good place to start might be https://www.startssl.com. You can get an SSL certificate for free from them. They are pretty easy to use and you can start experimenting right off the bat.
 

rotorwash

Getting the hang of it
Joined
Aug 22, 2016
Messages
103
Reaction score
20
Location
NE PA
This site provides some reviews for public Certificate Authorities (CA): https://www.sslshopper.com/certificate-authority-reviews.html Verisign used to be the gold standard, but they were purchased by Symantec. Back in May there was some noise about their misuse of their signing authority to sign an Intermediate CA cert given to BlueCoat, giving them the ability to snoop on encrypted traffic as a man-in-the-middle. They since purchased BlueCoat as well. At $400 bucks a year, I'm not sure the "gold standard" is worth it for a home server.

If you like to read, check out the book "Bulletproof SSL and TLS" by Ivan Ristic.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
startssl is about to get there asses revoked from Chrome; surprised you recommended em.

http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Self Generated Certs can easially be more secure than any paid certificates when you are your own audience; the only reason to buy 3rd party certs is if your trying to convince the general public you are whom you claim to be.

If its a service/network that you are using exclusively; you can trust your own CA alot more than say one in iran issuing a cert for your server.
 

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
Well, as I learn more I reralize that I do need to public certificate from a trusted certificate authority. Any recommendations besides StartSSL.com? (thanks for the info BTW @rotowash...sincerely appreciated bro!)

How about https://www.digicert.com? Not too expensive...not too cheap...and I read some good reviews on SSLShopper (which I'm not certain are legitimate).
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,007
Location
USA
This one is free and popular, though the certificates expire after 90 days and need to be renewed, which means you need to have automated renewals or it is a pain in the butt.

https://letsencrypt.org/
 

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
Thanks Brian...I believe that I'd prefer to pay a certificate authority yearly.
 

rotorwash

Getting the hang of it
Joined
Aug 22, 2016
Messages
103
Reaction score
20
Location
NE PA
startssl is about to get there asses revoked from Chrome; surprised you recommended em.

http://www.csoonline.com/article/3137181/security/google-to-untrust-wosign-and-startcom-certificates.html

Self Generated Certs can easially be more secure than any paid certificates when you are your own audience; the only reason to buy 3rd party certs is if your trying to convince the general public you are whom you claim to be.

If its a service/network that you are using exclusively; you can trust your own CA alot more than say one in iran issuing a cert for your server.
This is good to know. I have not used them in a year or two. Thanks for the education!
 

h901

Getting the hang of it
Joined
Apr 1, 2016
Messages
148
Reaction score
3
Location
London
Is this related to CCTV, or just generally?

If for CCTV what way would you use this
 

jasauders

Getting the hang of it
Joined
Sep 26, 2015
Messages
214
Reaction score
56
I use NameCheap. They seem to work -- haven't had any issues. Support was decent as well when I used it. I went with NameCheap mostly because I already had my domain registered through them and utilize DDNS with them.

If this was strictly for CCTV, I'd look into generating your own certs. All that happens upon connecting for the first time on a device is a warning about trusting the source. The only reason I went with a CA is because I have a web server with Nextcloud running on my LAN (think Dropbox, except I own it with no monthly costs and my storage is limited only by what drives I shove in the server). I've found an alarming amount of use for it, so I pay the few-bucks-a-year for the CA cert to keep the self-signed cert warning at bay for folks who connect that aren't me (friends, family, a local business I work with for ease of uploading items to me for managing their site, etc). The bonus is this works with my CCTV setup by default given I already had this set up before even adding CCTV into the mix.

I don't have much experience with other CA's though, but best I can say is NameCheap hasn't given me much reason to look into moving elsewhere.
 
Top