We are in the process of setting up a shopping cart and I was wondering about the experiences of other merchants with their SSL Certificates.

I was told that some stores start out with a shared SSL certificate and find that there customers don't have confidence in it and they wind up getting a private SSL certificate.

Has anyone on the forum found this to be true? Has anyone had any bad experiences with shared certificates?

Also, someone recommended InstantSSL.com as a place to get a private certificate inexpensively (there lowest product is $49 a year). Has anyone had any experience with them?

Finally, I was wondering why there is such a difference in price among different SSL Certificate providers. I was on some websites yesterday and Verisign wants $349 per year, Thawte wanted $199.00 per year, and Equifax which has been bought by GeoTrust, Inc. wants $159 per year. Are you getting something special or extra for all this extra money. Or, can you safely go with the cheapest one?

Thanks everyone for any insight you can give me about this.

Susan

We had a shared certificate (using Future Quest's services), and I can say that I had lots of people gripe about the warning they got (Certificate name doesn't match, etc.). If the visitor would take 20 seconds to look, they could see that it was a legit certificate, but for the most part, they never did.

We finally went with our own SSL Cert, just to make them happy. We're using the GeoTrust Premium SSL, and have had no problems with them/it.

Thanks Buck.

This was just the information I needed to take to my boss this morning.

Susan

I've had a shared cert for about half a year now and haven't received a single complaint.

Dan

Thanks for your input Dank. I'll tell my boss everything I've learned.

Susan

Hi Susan,

If you call the secure site properly with a shared cert issued by a certifying authority, you shouldn't get the warning about certificate name not matching domain name. Here at Futurequest, shared certs are set up to be called via https://xmydomain.merchantquest.net but can also be called via https://www.mydomain.com. The latter will work, but will put up a warning because mydomain.com doesn't match the certificate issued to merchantquest.net.

If you're setting up an e-commerce web site complete with shopping cart and you know sales are going to start strong (or your budget allows), start with a good dedicated cert from Thawte or Verisign. Otherwise, get the shared cert. It will let you build your site for secure transactions and later update to a dedicated cert if the need arises.

-Matt

Originally posted by Matt:
Hi Susan,

If you call the secure site properly with a shared cert issued by a certifying authority, you shouldn't get the warning about certificate name not matching domain name. Actually it does depend on Browser used and security settings for that browser as I use Firefox and I always get a security warning when accessing a Shared Cert site..."You have attempted to establish a connection with
"xexample.merchantquest.net". However the security
certificate presented belongs to "*MerchantQuest.net". It is
possible, though unlikely, that someone may be trying to intercept
your communication with this web site.

If you suspect the certificate shown does not belong to
"xexample.merchantquest.net", please cancel the connection
and notify the site administrator."
-Bob

- Full disclosure... :sprint: -

I think my boss is leaning towards Verisign or Thawte. The shopping cart we are developing is the staging ground for an already established site from which we are already getting sales. As each section is finished, I plan to link the pages from the old site to the new site so that they can start using the cart right away.

While I was doing research on SSL certificates today, I found out that Thawte is actually a subsidiary of VeriSign (both sites have this information as part of the company's history). Since this is the case, I wonder why VeriSign is so much more money than Thawte.

Does anyone know of a reason why VeriSign is worth so much more money? Right now I was thinking I would advise my boss to use Thawte

Susan

Actually it does depend on Browser used and security settings for that browser as I use Firefox and I always get a security warning when accessing a Shared Cert site... Notice how I carefully used the disclaimer "shouldn't," rather than "won't" (as in your computer shouldn't crash, not it won't crash)? :P Seriously though, browsers can throw warning signs up for any number of reasons (including the case where you're about to enter a secure web site). Even dedicated and 100% legitimate certs can trigger alarms with some browsers. Certifying companies also do sometimes make mistakes: Thawte was sending alerts to some SSL cert owners not too long ago requiring that certificates be re-issued as there was a problem on their end (apparently issued some overlapping certs).