Buying Digital Certificates — Protecting Confidential Data With SSL, Page 2

With prices for the most expensive digital certificates coming in at over 300 times more than the least expensive, it pays to be sure of what you’re buying when you cough up the cash for a server certificate. Here’s what the SSL certificate companies would rather you didn’t know.

Initial Research Into Digital Certificates

When it came time to buy a digital certificate for this site, I spent several hours researching the available options and learning to separate the marketing-speak of so many vendors from the substance of what was really on offer. Early on, I rejected certificate authorities like Verisign and Thawte, which sell some certificates for around $1500 per year! I checked into GeoTrust, which seemed more reasonable, and I discovered that Comodo provided even more reasonable prices. I also found that many of these companies provide certificates through resellers, who often sell at prices lower than the prices available directly from the supplier.

Convinced that I was on to a good thing — and having invested quite enough time in research for this one project — I went for a Comodo certificate purchased through one of their resellers. All went smoothly, and the certificate was installed on our server with only minor hiccups (relating to the fact, which I hadn’t realized at the time, that Comodo provides chained root certificates rather than single root certificates).

The Comodo Digital Certificate Nightmare

So, when it came time to purchase another digital certificate for another site, I went straight back to the Comodo reseller.

That’s when the problems began!

The reseller was fine — their only role was to take the money and pass it on to Comodo. But dealing with Comodo itself became a complete nightmare!

Certificate authorities normally make some type of checks to ensure that the individual requesting a certificate is legitimately connected with the site in question: this much is to be expected. But in the end I found it simply impossible to deal with Comodo customer service in this respect. They requested particular documents, which I provided… Then they decided that wasn’t what they needed after all, and I would have to provide something else. No problem; I provided it immediately. Nope, too bad, that wouldn’t suffice either. Then we started discussing my placing some message directly on my server, to prove that I was in full control of the site. OK, I’ll do that. But no, even after I did that, it still wasn’t good enough. Eventually they indicated they would have been able to process the order quickly if only I were an existing customer — but, of course, I already was an existing customer, because I’d just purchased one of their certificates a couple of months previously!

Even that wasn’t good enough: I would need to wait days for them to do…to do what, exactly? I never was sure, since I had provided every document they’d requested, and then some!

I think perhaps there was some language barrier at work, because often it seemed like I would write one thing, but Comodo customer service would read something else entirely. Or they would request a particular document, but then when I provided that document, it seemed like that was not what they wanted in the first place. In any event, I finally gave up and swore never to do business with the company again.

[UPDATE (April 2011): Earlier this month, Comodo became responsible for browser updates at Microsoft, Apple, Mozilla and others when one of their resellers was duped by a hacker in Israel into issuing digital certificates that would have made fraudulent versions of several big-name sites look legitimately secured. This break in the chain of trust led to the browsers being updated to take account of the certificates’ revocation.]

Better Price, Better Service, Single Root Certificate

And in a way, that was very fortunate, because it forced me to go out and do some reading again. I finally picked up on the difference between single root certificates and chained root certificates, and I did some more exploring of RapidSSL, formerly known as FreeSSL. RapidSSL is a subsidiary of GeoTrust and sells single root certificates. Not only were their prices significantly lower than buying from the GeoTrust parent, but they also had arrangements with resellers that meant their certificates could sometimes be had for downright bargain prices compared to Comodo’s chained root certificates.

Try Online Counseling: Get Personally Matched

I wound up buying through the reseller RegisterFly, which was running a ‘special’ on the lowest-priced 128-bit certificate, meaning I could pick up a single root certificate for around $16 per year — a fraction of the cost of the Comodo chained root certificates. The purchasing process was a little baffling — or dysfunctional, actually — necessitating a contact with RegisterFly customer service to ensure the order was completed. The ID checking this time was completely automated and all done online: a computer at the company called my telephone number and specified some digits which I had to enter at a particular website while still on the phone. This whole process cost me maybe 10 minutes, unlike the Comodo nightmare, which cost me hours of wasted effort.

I went away a happy customer, and when it next comes time to buy a digital certificate, I’ll know where to start looking!

Postscript: Always Check Around

And now here’s an update, in November 2006, regarding my experiences when it came time to renew the certificate for this site just last month. The moral of this story is that whatever you might have read, and whatever your own experiences might have been, always check around when it comes time to buy a digital certificate…

Having previously experienced grief from Comodo, I naturally turned to RegisterFly in hopes of obtaining another single root certificate for this site at a reasonable price. My, how quickly things change in the industry: dealing with RegisterFly was an unmitigated disaster. To cut a long story short, I discovered that RegisterFly is now advertising — and selling, and accepting money for — a certificate product that they will not provide! They will accept an order for a 3-year certificate (which, it turns out, is no longer a single root certificate anyway), but they will not fill that order: indeed, in my case, they accepted the order, refused to fill it, explained to me that they now only do 1-year certificates, promised me a refund for a 1-year order, but charged me for a 3-year order! Not only that, but they actually persuaded me to submit a new order for a 1-year certificate on the understanding that they would be refunding the first order, but they then would not fill the new order, apparently because there was still the old order for a 3-year certificate sitting in their system. The end result was that I was charged for 4 years worth of SSL certificates and received nothing. The matter wound up having to be handled by way of a chargeback through the credit card company, because RegisterFly proved to be so astonishingly inept.

So, my experiences with RegisterFly now fall at opposite ends of the spectrum: they’d been offering a bargain service on a single root certificate, and I would have recommended them to anybody, but now their business practices appear to be bordering on fraud, and I plan never to do business with them again.

So, where did I get a new certificate for this site? This time, I went back to chained certificates and found good prices and a decent buying experience at Yes, the chained certificate requires a bit more from the admin end to get it installed and working properly, but that task certainly absorbed far less time than I wasted in the encounter with RegisterFly.

But again, the moral of this story is to check around — by the time you read this, the major players in the industry may well have shifted again, and what was formerly a great deal or a good buying experience may no longer be.

Another update (July 2007): A colleague of mine just passed on the news that apparently I was not alone in the experiences I described above with RegisterFly. It turns out that the company’s service was so diabolically bad that ICANN actually took the highly unusual step of stripping them of their accreditation to handle domain registrations; a group of other companies banded together to rescue RegisterFly customers and their portfolio of some 850,000 domains, and GoDaddy wound up taking over the domain portfolio. (See the ICANN announcement and the GoDaddy press release from the decision at the end of May.)

As predicted, the major players have shifted again. RegisterFly is still useless, though — so useless that ICANN won’t even let them handle domain registrations any longer. Are they still selling SSL certificates? Yes, as of this writing, it looks like they are. If my own experience with them is at all representative, though, I can’t imagine they have very many happy customers.

All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was originally published by on and was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .

Overseen by an international advisory board of distinguished academic faculty and mental health professionals with decades of clinical and research experience in the US, UK and Europe, provides peer-reviewed mental health information you can trust. Our material is not intended as a substitute for direct consultation with a qualified mental health professional. is accredited by the Health on the Net Foundation.

Copyright © 2002-2022. All Rights Reserved.