Purchasing a SSL for the first time

[lbeachmike]

Hey there -

I've never purchased an SSL before. I am going to be purchasing one on behalf of a customer and I need to know what is required to purchase one. I'd followed a link on the forum from a similar question, and it referred to a site which was requiring a $50 fee to obtain an authorization of some sort to proceed to purchase an SSL certificate - actually, it was referred to as a CSR - Certificate Signing Request.

Is this a standard requirement? Or is this just the process through that particular vendor?

I'm not sure I fully understand the whole process and I'm looking for it to be greatly simplified, or for a reference to some really solid easy-to-follow information.

Thanks.

Mike

[Terra]

The easiest way to do this is contact Rich Shockney:
support (at) RSmarketing.com

He is handling many of our site owners SSL creation details, and works closely with me after the process is done...

It is a paid service, however the cost is well worth the prevention of hair loss trying to consume all the SSL acronyms and buzzwords...

If you would like to read more about this, study the following in depth:
http://www.modssl.org/docs/2.8/ssl_overview.html

Those docs need to be consumed from beginning to end, and not just lightly skimmed over...

--
Terra
--SSL even turns my brain inside out--
FutureQuest

[Rich]

Keep in mind that although you can START the process of obtaining an SSL certificate for your client, you cannot get one on their behalf. The certificate assures visitors that the Web site being visited is really and truly owned and operated by the company that claims to operate the Web site. Because of this, during the certificate application process, the Certifying Authority will confirm that the applying orgainization controls the domain name and will usually include actually contacting the individuals and references provided.

You can also find additional information in the www.aota.net tutorials like this one:

http://www.aota.net/E-Commerce/securecert.php4

Drop me a note if you have additional questions or if you would like to discuss how best to handle this for your client.

Rich

[lbeachmike]

Hey Guys -

Thanx for the helpful info - let me clarify something, perhaps ......

The client is not yet hosted here. I am hoping to get the client over here, but it is not a given that I'll be able to move their site here.

With consideration for that, is RSMarketing a solution directed only for FutureQuest hosted accounts? Or is this a generic need to generate the CSR?

I am only half the picture, and will not be configuring and setting up the SSL. I was basically looking to purchase it on their behalf. Somebody else will be configuring it currently. I am essentially trying to help them out and win over their account for future maint/hosting management. I can get the SSL cert discounted from Verisign, and they were not even aware of Thawte, Equifax as options.

Another question would be whether or not there's any difference in complexity of setup dependent upon who the SSL cert is purchased from.....

Thanks for any info.

Mike

[Rich]

Quote:

With consideration for that, is RSMarketing a solution directed only for FutureQuest hosted accounts? Or is this a generic need to generate the CSR?

As indicated on the CSR Order Page (www.rsmarketing.com/cert/futurequest/), the CSR generated by RS Marketing for FutureQuest accounts is only compatible with FutureQuest servers. (Certificates are tied very close with the hardware and OS infrastructure on which they are used.)

Quote:

Another question would be whether or not there's any difference in complexity of setup dependent upon who the SSL cert is purchased from

In general, you will need to make sure you choose a provider that is compatible with your Web host. All the technical issues are handled by the System Administrators, so you won't need to worry about this.

Rich
-- "Is it safe?"

[lbeachmike]

When I asked:

Quote:

Originally posted by lbeachmike:

Another question would be whether or not there's any difference in complexity of setup dependent upon who the SSL cert is purchased from

... I was referring to the choice of using Verisign, Equifax or Thawte - one of those being the "provider" of the SSL certificate.

Is there a difference in which one of those guys I choose as it will relate to ease of setup, ease of transferring to a different domain later if necessary, etc.

Thanx.

Mike

[Rich]

Quote:

Is there a difference in which one of those guys I choose as it will relate to ease of setup, ease of transferring to a different domain later if necessary, etc.

Sorry Mike, I mis-interpreted the question.

The page I referenced above shows a table highlighting some of the differences between the different Certifying Authorities.

Certificates are issued to an organization for a single domain and are non-transferable.

Here are the major factors that will be involved in your purchasing decision:

• Type and amount of documentation required
• Time to underwrite and issue certificate
• Cost
• Quality of Customer service and support

It seems that lately the policies regarding the first two items are constantly changing at all the CA's which means it can take a couple days to a few weeks to obtain a certificate. A large factor in this time is how easily assessible the references are so that information can be confirmed.

I have noticed that the applications that seem to take the longest are those where the same person is listed for all the different contacts requested. The more 'third parties' that are involved, the easier it is to underwrite an application.

Hope this helps.

[lbeachmike]

Actually, my questions still remain unanswered ..... I still may not have been clear, and I definitely mis-spoke in what part of my question.

I referred to moving a certificate to a different "domain" - I had meant to ask about moving it to a different host - probably a little sleepy when I typed that out

My question, very specifically is:

Which company is easiest to work with out of the three you've mentioned:

Verisign
Equifax
Thawte

Which one has the best customer service, the best responsiveness, ability to answer questions and assist in the process, the ability to support moving the certificate to a different host, etc.

The pricing and features are straightforward.

You talk about considering the type and documentation required, the turnaround time, the level of customer support, etc.

However, I've not done any work with any of these companies on this. Apparently this is your area of expertise and experience, so I'm therefore asking you to advise of your experiences. Have you found one particular company particularly easy to work with? Which is easiest in terms of the amount of information/documentation required, and which one has the smoothest overall operations/support/etc.?

Which one would you recommend that your friends and family use?

Thanx.

Mike

[Rich]

Quote:

Which one has the best customer service, the best responsiveness, ability to answer questions and assist in the process, the ability to support moving the certificate to a different host, etc.

Relating to customer service and responsiveness, etc., unfortunately I believe the true answer here is 'none of the above'. I have heard very conflicting reports in this area. Some people, not happy with past Verisign service have reported switching to Thawte and gotten better service while others that were not happy with Thawte service have reported switching to Verisign and received better service.

Perhaps others who have recently applied for or renewed a cert can respond here regarding their choices.

I personally don't interface with these organizations any more than the typical domain owner, only doing so when I need to renew a cert. I have dealt personally with both Thawte and Verisign and personally use only Verisign now for all my certs. While the price is higher than the other options, it has been my experience, overall, that Verisign gives *me* generally better service. Your mileage may vary, however.

Regarding moving a cert from one host to another, this is usually not done. While technically this is capable in SOME cases, all of the following must be true:

(1) Both hosts must have the same infrastructure-- same OS and version, same Web server and version, same SSL package and version.

(2) The 'from' host must be willing to send you both the cert and secure key via PGP.

(3) You must have PGP to both receive and send the cert and secure key.

(4) The 'to' host must be willing to receive the cert and secure key from you directly via PGP.

It is probably best to consider a certificate non-transferrable in terms of organization, domain, and host provider.