SSL certs

[Red Squirrel]

I'm toying with the idea of using HTTPS for my site when I redesign it. At very least the forum. The site will also consist of a central authentication login which the forum will be one of many things that uses that same login, so idealy I need to secure anything else (different sub/domains) that uses a login form. Goal is to not send the user login through clear text, obviously.

Been looking up certs real quick and there's a lot of different features and prices. Given I want to secure multiple sub/domains, possibly servers, but am not a high profile e-commerce site, what is my best bet? I'm thinking just paying for multiple single domain certs and basically getting the cheapest I can find. Any features I should look for to ensure I have? Most of the sub domains are on the same server but there is the possibility that changes. But if I get individual certs then I should not have to worry about that right, I'd just generate a new cert when I switch servers?

There are also free options like Let's Encrypt, is that worth looking at or am I better off going with one of the more known/trusted CAs like Comodo?

Also if I want to secure an internal communication channel, ex: one server using HTTP queries to another server, I can use self signed for that right? I have a game server which I will want to tie the login to the central authentication system, so I'm thinking it would probably just use a http query string with a reply that says if it's valid or not and possibly other info, which I obviously would want to encrypt.

Moved to Networking - Programming Moderator Ken g6

 

[John Connor]

I'd just go with Lets Encrypt. They are backed by many companies.

Server to server, yeah, self-signed should work. I know webmin uses self-signed.

I use a combination of StartSSL and Lets encrypt. When the StartSSL Certs expire I'll migrate to Lets Encrypt since cPanel will automatically update the Cert for me. I think you can do that with a command in terminal as well. Read the Lets Encrypt page. I seen the commands there.

 

[razel]

You don't need to buy an SSL cert just now. You can create self signed certs to test your needs. The only difference after you buy is you no longer will get a warning message in the browser, app, etc, that your SSL is bunk. Browsers are making it harder for you to proceed into a site with a bunk SSL cert, but it is not impossible. It just takes a few more clicks.

 

[Red Squirrel]

Yeah I will do self signed when in testing phase, done it before, but I still want to go with a proper one once the new site goes live. I'm leaning towards let's encrypt, don't like the idea that they expire so short but you can script it to auto renew, so I'll just set that up.

 

[razel]

If it's just for your needs you really don't need a validated SSL cert. The validation is just to confirm the ownership of the SSL to other people. If it's just you and your apps, APIs allow you to continue then your HTTPS connection will still be highly encrypted.

 

[JackMDS]

The issue of what to use is Not security per-se. When using a None main stream Certs, in most cases when connection is made Security warnings would popup. None knowable users usually get scared by it, for others it is just a nuisance and at times might destabilized the connection.

Thus, if you are the only one connecting and you are willing to endure the hassle it does not matter much what to use, what is comfortable to you would do.

Otherwise use a commercial cert. If security is really important to you it worse the relative small expense.

 

[joutlaw]

Another vote for Let's Encrypt