$60 one off payment to be verified, then you can issue unlimited wildcard certs for any and all domains you control. i.e., the certs themselves are free, you just pay for verification.
Beware, they claim they will issue unlimited certs, but even after completing a domain validation via email to an admin account on the domain, they might refuse your cert if they care to look at the WHOIS data and decide it's not "you" (for example, a different business name or admin contact). They might even change their mind on this when you try to renew a cert they had previously issued.
I actually started that and stopped midway through.
The process was absolutely hostile, the requirements insane and I haven't stripped like that, ever.
Plus, it's plain BROKEN (Really? Like, requiring a utility bill for verification? What? Why?).
Obviously I didn't finish it (I did send most of my documents but stopped at some point and told them that this is crazy, I don't care anymore), so my advice might be crap. But I would advice everyone to avoid. this. process.
The process is hostile and the UI confusing at times, but the requirements aren't insane. They're doing what they're supposed to do: verify you are who you say you are and that you're the owner of the domain. Just sending a mail to the webmaster is weak verification (and a SPOF, if nothing else).
A sane version in this country is PostIdent. It's a way to verify a person & address using the post. Think postman arrives, asks you to pull out your ID and sign something, hits okay. Company knows that you are a real person with the specified name living at that place. They _might_ have access to the number on your national ID afterwards, but I'm not even sure about that one.
Have you checked what kind of documents you're to send to a random foreign company for verification?
On top of that, the process doesn't WORK internationally. I still don't understand what kind of utility bills you have in Israel (StartSSL) or the US (usually the source for.. things), but mine are different. Plus, what does a random letter in a random language prove? Sending in an ID is understandable - it's a state issued document and protected by law, forging one would be a Bad Idea. A "utility bill"... Well, as I said: Insane. And arbitrary.
For the fun of it I looked up the mail exchange.
Documents they asked for (* denoting that I sent them):
- Mobile bill
- Utility bill* (sent a cable provider's bill)
- Passport & ID *
(I think I provided my driving license as well)
The first two documents are absolutely braindead requirements. They certainly don't have the expertise to know all utility providers/mobile network providers on a global level. So I could hand in ANYTHING and it would a) be probably legal (there's no law to prevent me from 'forging' a utility bill.tell ..) and impossible to prove. That is .. unless they call your utility/mobile provider to check the information, which wouldn't work in the first place (data protection laws) unless you IMPERSONATE the person you try to check. Which would be crazy on a different level.
In the end they wanted to send me a registered letter by snail mail and I cancelled the whole ordeal. Doing that would've been an option of course, but not after they asked for random documents proving my address. EITHER send me a registered letter OR ask for crazy stuff that contains my name and address in the header.
Plus, transparency. This whole process took a while and was a lot of "Now please send this", "We really need that", "Since you have no mobile bill to offer, we fall back to snail mails". I discovered this in painful mails, after handing over enough of my data to do mostly anything in my name.
I fail to understand how this process could be acceptable and I certainly consider it broken, hostile and inefficient.
(Handing in my utility bill was difficult as well - I blacked out all but the letter head, which caused them to complain again and again. Ignoring that the letter contained the SIP credentials for my landlines, what the..? I cannot _invent_ a reason for this requirement. My creativity is too limited, it seems)
A current utility bill shows a link to an address; a lot of IDs don't, and from memory passports don't (anyway, they last for years and don't require updates...). Yes, it's not foolproof, but it raises the bar. Most people have access to this thing and are able to send it in - so it's a cheap way to raise the bar.
Possibly you raised such a fuss that you tripped their 'possibly a forger, probably not worth it' spider-sense, so you got more hoops to jump through.
That's exactly my issue. Maybe that's the case in your country of origin, but not here. The ID lists your address and you're required by law to update it whenever you move.
Plus, they got that (address/name, a header of a utility bill), but complained about blacked out passwords/details.
Plus, if your fallback is to send a registered letter to verify an address, why .. not list that from the start and just do it that way? Slower, but less crap.
We won't find some common ground here, of course. I don't think that I 'made a fuss', not before the process became utterly broken and laughable.
I haven't tried this service. But I think it is fair to say that SSL certificates being as they are (complex and expensive), we will not see an all-https web anytime soon. SSL certificates need to be fixed first, it must be cheap and easy to set up SSL on a shared server with limited technical knowledge before we see it generalised.
And $25 to revoke. Miskey the CN? Cough it up. A bug in openSSL gets your private key owned? Pay up. Want a different type of cert for the same domain? Pay the man.
It's not like they invented the pricing during heartbleed, it was always out there.
StartSSL can make the certificate for free because their infrastructure is all automated. You don't know if certificate revocation requires human intervention or not.
Plus certificate revocation is useless in case of MITM. Browsers need to be able to contact the certificate authority and will just ignore it on timeout. So the only difference is that the MITM has to blackhole the CA on top of the usual routine.
All you can do is hope nobody stole your SSL certificate.
My understanding is that it's all automated for level 1 trust where you can only generate basic single-domain SSL certs. I don't remember getting a call.
$60 one off payment to be verified, then you can issue unlimited wildcard certs for any and all domains you control. i.e., the certs themselves are free, you just pay for verification.