SSL certificate Cont.

I wrote before how to install self singed certificate into your server. the process to create real certificate is almost the same. but after you create the CSR you send the CSR to your CA and they will send you CRT file that you can install in your server. once its install just restart the apache and you are good to go.

Choosing CA:

after several days researching CA I have a conclusion;
- Verisign is veri expensive but veri trusted. go with them if secutiry is no. 1 in your list.
- geotrust , cheap if you have a package from your ISP like 1and1 that offer $49 per year.
- network solution cheap , but they screw my account and I am leaving them
- digicert, is ok CA and they offer a very cheap wildcard certificate that cover 1 domain regardles the server or subdomain you have. this is a bargain for enterprise user.
- thawte, has been around for sometimes and cover a lot more countries than verisign. I set up secure servers in Afghanistan before with them and had no problem. As for US based CA they rejected my request since afghanistan is one of the banned country for doing business like selling cryptography. Sound ridiculous, since 90% of goverment in Afghanistan is build by US, but this is US law.

there is a lot more CA in the WWW but those what I am considering to have a big account with.

Other alternative is that you have your own CA server that will process any SSL request. If I am a central bank, I am going to this route. but it will cost you millions of dollars to have such server. Last time I check it will cost me US$25M. But you will be able to use this server to serve your employee(each has one's own cert) for login into your domain/AD using regular login or smart card, and/or serve your offsite client (branch/local banks).

We setup Reuters client for one bank before and Reuters use this kind of server. So one client using 1 dedicated certificate.

if you have question just shoot email to me.