it seems to good to be true

it's at namecheap.com

http://www.namecheap.com/learn/ssl-certifi...ertificates.asp

As far as I can see there are two catches:

1) You've got to buy something, you can't just go "I've got an account, please give me one"
2) They expect you to become dependant on it and renew it in subsequent years because it is useful, even if it isn't necessary,

Aha! The old trick of giving free drugs to kiddies in the schoolyard.

Yep, one of the best marketting techniques there is. Make someone rely on something and then start charging and the majority of people will feel they then can't do without it and will just pay up

Why not just go to CACert (who have been around for some time) and get a cert for free - period,.

Nothing to buy and it lasts more than a year

well, that wouldn't be any different than using a self-signed cert - which are easy to make. Users would be alerted that your site isn't trusted.

AFAIK CACert is not installed in any browser as a trusted authority. I just looked in FF2 and it's not there for certain.

As far as the concept of "get rich by giving it away free as marketing", that's true but it's also true of Firefox these days. Especially now that they're in bed with privacy invading Google.

So FF *could* install CACert in their browsers, any we the people could have free SSL... but then FF would lose the income they're getting when cert authorities pay money to the FF team to be included. I imagine that the FF staff is located in some very fine office space these days with a huge budget.

It's a racket.

Um, CACert has been around a long time and are generally considred a trusted source. There are a lot of politics involved in beig "accepted by a browser" as a default inclusion. Equifax has only been included in recent years though I do admit a case could be made they aren't a trusted source

Do as you like, pay as you like. I only offered an option that has worked for a great many site owners.

NyteOwl, I was using the term "trusted" in the technical sense: the browser will pop up a dialog box using the word "untrusted" or something similar.

Depending on your usage then "untrusted" isn't as bad as it is made out to be. I'm looking at a VPS and forcing HTTPS for webmail, Since there is only me, my wife and my mum who have email accounts then a self-signed certificate will trip Firefox's "are you sure you want to do that" feature, but it will still give exactly the same level of protection. From the number of times I've hit a mailing list archive and been prompted about the certificate, it wouldn't surprise me to know quite a lot of them have done it as well.

can't you run servers on VPS? If you use an alt port like 444, then you'd probably be able to use SSL just like that

or, with your limited users you can install your own trusted authority cert in their browsers, or go with CACert installed as a trusted authority

That's what I'm doing - running Lighttpd on port 443 to server webmail through HTTPS. The only problem is that your certificate is served before you get to the "which domain am I asking for" part, so if I use SSL for my admin areas as well (on different domains) then they would get both a "self-signed" warning and a "doesn't match domain" warning. That still leaves you with the encryption, and it's still me saying that I'm me (which in this case should be sufficient) but it does pop up the warnings.

As for CACert, I'm looking in to them and StartSSL to see about proper certificates and then serving the admin content on another port so I can have two certificates that match the two domain uses. It's okay so far, but I've just got to check how much info is stored in the StartSSL certificate in terms of the address information that I had to provide them. I'd rather go self-signed and tell the people who use it how to accept it than go accepted and have my personal details in the certificate!

you could always buy a .info domain at namecheap for $2.99, and get the free cert that you can apply to any domain.

And then how much will it be to renew it and how much to renew the SSL certificate? StartSSL free certificates seem to be working okay for me at the moment (ignoring the bit where I had some issues with not keeping the right private key when they have no way of recovering it!) Luckily I'm not doing it for a live system yet!

Like $20-30, I don't remember the exact number but I got over 10 postive ssl in my namecheap account and i'm not using them at all so if there is a way to push them because I can't figure out how. By the way the 1 year starts when you start using it, not when you buy the ssl cert.

Very nice helpful link here. Thanks for sharing.

you'll also need to purchase a dedicated IP to use a cert.