I am interested in buying a cert to sign my binaries as well as web server cert. https://www.startssl.com/?app=2 seems to provide it at decent price, but I am not sure if this is a reliable company.
They are looking for passport/company registration information before they can issue cert. Their website looks crappy and their help email bounces..reducing my confidence.
Has anyone in this forum dealt with them for class 2 certs?
What are other reliable cheap alternatives?
Googling StartSSL together with common hot words for trouble -- like "scam", "fraud", "review", "security" -- doesn't seem to bring up anything too onerous. But don't take my word for it, do your own background check.
That said, the big suppliers of SSL certificates are pretty much guaranteed to be pre-installed in all browsers, including the mobile ones. The same can't quite be said for smaller certificate authorities. So it might make sense to hunt around for Comodo, Thawte & GeoTrust certificates (no special ordering) on the cheap. Here is a little secret for you, it is often possible to find the brand-name certificates for cheap from other resellers.
Here are some resellers:
One good tip: When you are done, I would recommend you to use the online test tool at Qualys SSL Labs. It can connect to your site, and tell you quite a lot about how the SSL is set up, including the certificate chain of trust and revocation state -- which is very handy as a troubleshooting & test tool.
I don't think StartCom / StartSSL is worthy of your trust. My reasoning:
For validation they require a scanned passport and drivers license. Information like this is very sensitive as it can easily be used for identity theft, for instance to acquire a loan in your name.
As a principle, I watermark these documents with the name of the company I supplied them to. They are still perfectly legible but this way, they can no longer be used for identity theft.
Startcom is unwilling to process these watermarked documents because they 'could be forged' (not because they were unreadable or anything like that). Imagine that. Any digital image I send 'could be forged', of course. Adding or not adding a watermark changes little on that account.
And where is the business case on their end? Why do they need (or even want) documents that can be used for Identity Theft? And why won't they process documents that are clearly suited for their purpose of identification?
The only reasons I can think of is that they are either very naive in their security thinking or worse, that they have plans for your documents where the watermark would get in the way. Makes me wonder...
Also please take note that they have been hacked in the past (and admitted to that) so why trust them with you identity in this way?
As per Jesper's answer, I had a very good experience with K Software (http://ksoftware.net/ ) - they are reseller for Comodo and seem to offer a good level of discount. In fact, most of my dealing after paying were with Comodo directly - expect to have to jump through a load of hoops to get any such cert because it basically says that you are who you say you are, and the issuing company is in some sense vouching for you.
We use StartSSL at a medium sized university. All staff and students who log in to our Portal (which all students have to do) use the cert. So far, we have had zero issues. Customer service has been excellent. Do be prepared to actually validate. Who you claim to be to qualify for class 2.
By far the WORST SSL provided I have ever dealt with. They require way more information then is presented on thier ordering page. Repeatedly asked me for additional CONFIDENTIAL information. Poor english spoken. Difficult to deal with. RUDE RUDE RUDE employees. STAY AWAY - You can find better service somewhere else.
Basically in order to get StartSSL Organization verification (and certificates) you have to go through personal verification (and pay US$ 59.90) and only then you are allowed to proceed with Organization verification.
But personal verification payment is "non-refundable" and they can delay Org. verification for as long as they like to and with any reason whatsoever till you will go elsewhere for your certificate.
In my case they selected one of the lawyers on documents Apostille (on even on the main corp. documents) and "we trying to call him" for more than a week. Right now I have to go back to Comodo (was using it for 4 years before) for the real certificate and cancel my payment with the bank - waste of time and money!
If you are looking for this kind of "entertainment" - try it yourself.
We use them for all our certificates. Perfect pricing, very helpful company, now a root CA with all the major browsers and their support is second to none. It is common enough for a company to ask for personal as well as corporate identity before issuing certificates so there is nothing unusual there. Hope that helps.
Used them for class 2 for two years now, I havE always had excellent service from them, and the support is superb.
i am using startssl class 1 "free" and i am very satisfy for simple https going green validation !! i recommend !!! but its trick and you must have some knowledge on ssl certificates setup to have a great experience !!
Have to agree with StartSSL being rude and seems almost like a scam for the class 2 certificate. I advise using someone else that has decent customer service.