[ic] Recommendation for CA to issue Certs.

[Curt Hauge]

Quoting Barry Treahy, Jr.
>
> I have used Thawte for the past five years, primarily because they were
> one of the few CA's that issued wildcards, and also because they were
> the cheapest.  Since that time, Verisign swallowed them up and Thawte
> lost much of their identity we as well as their desire to price
> wildcards so that small business can easily afford them without a
> zillion hassles.  During this same time, it appears that many of the
> other CA's have either gone away, merged, or stopped issuing wildcards
> too.  We are not an ISP but enjoyed the flexibility of the wildcards
> because of the ability to easily replace faulty equipment or testing
> equipment without issuing a unique cert to each system.
>
> You admins that host your own systems, how do you tackle this?
>
> Any recommendations on an inexpensive CA that does still handle wildcards?
>
> I'm sick of Thawte, so if I must go for individual certs, any
> recommendations on a CA in general as long as it isn't Versign or Thawte?

I have tried Equifax Secure, since swallowed up by geotrust.com. It works
fine, but they are not recognized by IE or Netscape, so you are supposed to
use the SSL+trusted chain CA (SSLCACertificateFile). Well, I still get the
pop-up message when going secure:

"The security certificate was issued by a company you have not chosen to
trust."

I have contacted Geotrust but they tell me the same thing - it can be
resolved by using the SSL+trusted chain CA. I am using this correctly, I
believe, but to no avail:

SSLCACertificateFile /etc/httpd/ssl/equifaxca2.crt
SSLCertificateChainFile /etc/httpd/ssl/chain.crt

both files exist in the respective folder and server rebooted. Still sucks.

YMMV.

Good luck.

Curt Hauge