Link to home
Create AccountLog in
Avatar of Donna Johnson
Donna JohnsonFlag for United States of America

asked on

What vendors of external Certificate Authorities do you recommend for libraries to purchase? Should we query certificate vendors that are free? Usually if they are free, they won't provide support.

We have two possibly three internal URLs we need certificates for.  What types of certificates should we purchase?  Should we query certificate vendors that are free?  Usually if they are free, they won't provide support, correct?  One URL is a web server and the second is an email server.  The email server is also accessible by URL.  Thanks

Avatar of Hypercat (Deb)
Hypercat (Deb)
Flag of United States of America image

IMO it's best to use a known reliable provider that offers support.  I've never used a free certificate, so I can't comment on any of those options. GoDaddy is my current provider of choice.  I've never had a problem with them and they have telephone support as well as an on-line help section of the website.

You'll want to purchase a single certificate that covers multiple URLs, since you have more than one.  These are known as SAN or UCC certificates. GoDaddy (as well as other providers) offers one that covers up to 5 URLs.  When you purchase a SAN/UCC certificate, there are certain steps you need to do to apply the certificate to more than one server.  If you're not familiar with this process, I think you can most likely find instructions in the Help section of the provider's website. Or post back here for assistance.

BTW, just a note: If you're using a Microsoft Exchange email server, you have more than one URL just for the Exchange server itself.
 Some companies like verisign or thawte offer warranty that gives you some coverage if there is a data breach. (you will need to read the details of each one if you are interested as the details are too much to cover here).
There are several types of certificates such as Extended validation, SAN etc. but as for the certificates them selves there are different key lengths 512, 1024, 2048. Nist guidelines mandate that all SSL certificates must be of at least 2048 key length.

That said a certificate is still just a certificate regardless of the vendor that provides it (although you probably want to avoid no name providers as you need to trust the integrity of the vendor. You may want to check out as they are cheaper than the big name vendors but still offer most of the same benefits.
In my opinion where the vendor comes in is if it is in the trusted root certificate list or not and if your environment requires a warranty. 
Paid certificate come with warrantie & logo.
I'm using Comodo for paid certificate.
I found it always time consuming and add lot of stress to renew them manually and it may be complicated in some cases.
(sometimes I endup temporary to install let's encrypt when paid certificate renewal fails for technical reason).
So now when I pay for SSL certifiate I use 3 years option (and it was not required me to regenerate anything until now)

Most of the time I use Let's Encrypt (free) that autorenew automatically.
I have a Let's encrypt setup on Windows Server & IIS, I'm using Certify the web to manage it.
I have some Let's Ecrypt & Comodo setup on my share hosting company.

*In any case it required some monitoring to make sure it renewed or time to request renewal...
Just reading your title again...

Specific answers...

1) What vendors of external Certificate Authorities do you recommend for libraries to purchase?

There are no paid libraries to purchase.

2) Should we query certificate vendors that are free?

Use free for your certs + you'll be good. See EE URL above for setup + auto-renewal details.

3) Usually if they are free, they won't provide support.

No cert provider provides any type of support.

Certs... just work... it's a go/no-go situation...

If you've setup the cert correctly, say in Apache or OpenSMTPD or Dovecot or MariaDB, then the connection is encrypted.

Incorrect setups are... difficult to achieve, as you'll almost always get some startup warning from the server about problems.

Like with Apache, if you have an incorrect cert path, then Apache simply won't start.

@David about point 3, I do not totally agree

I'm getting support for the paid certificate from the provider and from the reseller .
As sometimes problem may occurred during the renewing or when the cert get generated the first time.
There are many steps to do the generated certificate and sometime file get corrupt, server changes, sometimes it's just don't renew and we need to start over or we do something wrong..
Sometimes I don't received the confirmation file because the email ect.
They will also provide support on how to generate code and install the files.

Of course when the cert is installed it should work fine and no support will be required until the next renewing.

The problem is that because we do this only once a year we don't necessarely recall how to redo it.
And paid certificate are lot more complicated to renew.

Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account