certificatevendors.html : Java Glossary

2008-03-31 by Roedy Green ©1996-2008 Canadian Mind Products
Go to : punctuation 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (all)

certificate vendors

Use these just for a ballpark. Check the websites.

I thought you would like to see the prices on this webpage in mindprod.com CurrCon international currency Applet needs Java installed for it to display prices in any world currency. , but you can change that instantly, thanks to the Canadian Mind Products CurrCon Applet that you too could use on your own website to display prices in any world currency using today’s exchange rates.

Digital Certificate Vendors
Company	Types of Certificate Sold. All prices are in mindprod.com CurrCon international currency Applet needs Java installed for it to display prices in any world currency.
Company	Types of Certificate Sold. All prices are in mindprod.com CurrCon international currency Applet needs Java installed for it to display prices in any world currency.
Actalis	Italian certificate authority. Website is only in Italian. SSL certs. Install root certs. Last revised 2007-04-23.
CaCert	Welsh certificate authority. Free SSL, SMIME, IM and Open Office digital signing certs. Java, Authenticode and Mozilla XPI Code Signing Certs after you aquire 100 points of trust. Install root certs. Last revised 2008-03-04. Disadvantages: Browsers don’t come with the CaCert.org root certs pre-installed. That is a political problem to talk the browser makers into including them. The documenation is more than usually geekish. The scheme works with a web of trust, similar to PGP. This requires you to engage in a time-consuming set of meetings to establish your identity by accumulating enough trust points.
Certum	A Polish company offering over a dozen different types of certificate including code signing certificates. Code signing certificates are free for anyone involved in an open-source project. They also offer a free timestamping service to provide undeniable proof that digital data were not modified or backdated. Prices are higher than previously, but still well below the competition: e.g.610.00 PLZ for a Java code-signing certificate and 305.00 PLZ to renew. See the price list. Unfortunately, code-signing roots are not built into cacerts. Last revised 2007-04-23.
Cren	Institutional Certificates, e.g. entire universities. Cost is per institution based on size.
Comodo aka InstantSSL	SSL certs from free to $999.00 USD for a one year. Comodo owns the following root certificates: UserTrust Network/AddTrust, AAA Certificate Services, Secure Certificate Services and Trusted Certificate Services. These roots are present in Opera and IE. IE has Comodo-branded certificates in the Intermediate Certification Authority Section. This is the important place for Authenticode certificates. The AAA Certificate Services root certificate is present is Java’s cacerts. The usual problem with using a low cost certificate is not everyone has the root certificates pre-installed. Comodo does not appear to have that drawback. Authenticode code signing certificates for .exe, .ocx, .dll, other .cab files, or PAD .xml files are $179.00 USD for one year. Authenticode Code Signing for $179.00 USD Last revised 2007-09-19*.
CyberTrust (USA)	Sell SSL certs for $349.00 USD a year. Last revised 2007-04-23.
DigitCert.com	SSL cert $99.00 USD per year. Last revised 2007-04-23.
Ebizid	SSL Cert $39.00 USD to $450.00 USD per year. Last revised 2007-03-23.
Entrust (USA)	personal email certificates(free), SSL Server(free), VPN [Virutal Private Network] (free), SET (free). Free certs are 60-days for testing only. To use them you must first load the Entrust root authority cert into your browser. The code-signing certs appear to have been dropped. Production SSL certs for $349.00 USD a year. Last revised 2007-03-23.
GlobalSign	PersonalSign Demo dual purpose S/MIME email and SSL client certificate:€0.00 EUR /year. Opera already has the necessary root certificate installed. PersonalSign 2 email cert $80.00 USD /year. PersonalSign 2 pro qualified email cert, also for digitally signing documents €70.00 EUR /year. PersonalSign 3 pro qualified email cert, requires you to visit GlobalSign office to present your credentials. €100.00 EUR /year. One-year ObjectSign certs can be used to code sign Java (probably just the old MS signing), JavaScript, ActiveX, VBA etc. €175.00 EUR /year. SSL or TLS Server $189.00 USD /year. Last revised 2007-03-23.
GoDaddy	SSL certs $19.00 USD to $90.00 USD per year. Last revised 2007-04-23.
QualitySSL, née InstantSSL	128-bit SSL certificate $49.00 USD per year for Intranet SSL to $749.00 USD per year for wildcard. Last revised 2007-04-23.
PGP Pretty Good Privacy	Certificate server software you install issues PGP certificates. PGP Desktop Email for $149.00 USD . PGP Freeware. Last revised 2007-03-23.
TC Trust Center	personal email certificates €69.00 EUR . corporate root trusted authority certs. time stamping. Last revised 2007-03-23.
SecureTrust née XRamp	EV (extended validation) SSL certificates $599.00 USD Last revised 2007-03-23.
Thawte Certification (South Africa)	I like Thawte. They are friendly and co-operative. Personal email S/MIME certificates(free). Use a web of trust scheme to make them more valuable that the usual free email certificate. Free SSL test certificates. JavaSoft Developer Certificate: These certificates can be used with Sun’s JDK 1.3 and later to sign Applets. $199.00 USD /year. Apple Developer Certificate: These certificates can be used by Apple developers. $199.00 USD /year. Microsoft Authenticode (Multi-Purpose) Certificate: These certificates are used with the Microsoft InetSDK developer tools to sign ActiveX controls, .CAB, .EXE and .DLL files, and other potentially harmful active content on W95/W98/Me/NT/W2K/XP/W2K3/Vista Authenticode certificates only work with Microsoft IE 4.0 and later.$199.00 USD /year. Netscape Code-Signing Certificate: These certificates are used to sign Java Applets, browser plug-ins and other active content on the Netscape Communicator platform. These certificates are used to sign Java Applets, browser plug-ins and other active content on the Netscape Communicator platform, i.e. in the old days of Java 1.1 and 1.2. $199.00 USD /year. VBA Developer Certificate: $199.00 USD /year. These certificates are identical to Microsoft Authenticode certificates, and are used by developers to sign macros in Office 2000 and other VBA 6.0 environments. The thing that blocks you from interconverting Thawte certificate types is that you can’t convert Sun keytool certs to PKCS #12 because keytool.exe refuses to either export or import a private key. It uses the same format for public certs. You can get around this restriction with tools from third parties e.g. BouncyCastle.org. Download one of the providers. You want to do this so you can import your full certs into other signing tools, such as Netscape jarsigner. See Mitch Gallant’s notes on exactly what to do. Basically you configure a little java program called BCMain to export the certificate in PKCS12 format using the BouncyCastle JCE. That exported file contains both private and public key. From there, you can import it elsewhere e.g. with keytool.exe. You can use a Netscape signing certificate for The Java plug-in 1.1 and 1.2, if you use the old Netscape RSA jar signing tool. For Java 1.3+, you need a separate RSA certificate. Thawte no longer make Sun DSA-style certificates. The Thawte website is ambiguous about this, saying it requires a different type of certificate, but not that it requires a totally separate application process and fee. The fault lies not with Thawte, but with Sun, since Sun’s keytool refuses to import or export private keys from the .keystore file. Happily, Thawte code-signing roots are built into cacerts.. SSL Server from $149.00 USD /year to $899.00 USD PGP certificates are no longer supported. Sadly, Verisign bought Thawte out in 2000-02. Thawte is a much nicer company to deal with than Verisign. Last revised 2007-03-23.
TuCows	Authenticode for signing PADS and Microsoft apps. Comodo 1 year $75.00 USD , Thawte 1 year $160.00 USD .
VeriSign (USA).	Verisign is the prestige company for certs. If any cert will be supported, recognised and accepted, it will be Verisign. However, dealing with Verisign is like dealing with IRS bureaucrats, very cold and businesslike. They are more set up to deal with large corporations than individual developers. Their website is well organised so you can quickly find the certificates you need and the prices. personal email certificates $20.00 USD /year. Javasoft Code-Signing Developer Certificate for JDK 1.3+$499.00 USD /year and $695.00 USD for the pro version. The pro version offers rush delivery, 2 days instead or the usual 3 to 5, a 45-day free trial, and $100000.00 USD insurance instead of $50000.00 USD . They have never yet had a claim on the insurance. Microsoft Authenticode $499.00 USD /year and $695.00 USD for the pro version. These certificates are used with the Microsoft InetSDK developer tools to sign ActiveX controls, .CAB, .EXE and .DLL files. Visa SET. 128/256 bit SSL certificate.$995.00 USD Extended Verification SSL certificate.$1499.00 USD Verisign offers 6+ types of code signing certificates. They cannot be converted into each other, though the Java code signing cert can also be used for Microsoft Authenticode. They don’t give details on how this works. You have to buy multiple certificates if you need more than one type. Happily, Verisign code-signing roots are built into cacerts.. Last revised 2007-03-23.

Selecting a Vendor

Some criteria to consider when buying your certificate are:

cost, both initial and renewal.
Does the company provide all the different kinds of certificate you will need. It is much less hassle to get everything from one source.
Are the root certificates (code-signing or SSL) of that vendor built into the browsers your clients will be using? If not, it will be a hassle for your users to manually install them.
What sort of reputation does the vendor have for service? Basically you are paying them to verify that you are you. You want them to do that thoroughly without driving you crazy.

I heartily recommend Thawte for four reasons:

They have low prices.
They have friendly, responsive staff.
They are based in South Africa, less likely to be coerced into disclosing information they should not by the CIA or the US government.
They are not subject US encryption export laws.

Unfortunately they have been bought out by Verisign, a much less customer-friendly company. However, I have seen no sign in deterioration in Thawte as a result.

Consider buying a 2 or 3-year certificate. It costs less per year. It takes less of your time to buy and install it, and you don’t have to reissue all your signed code each year because of an expired certificate.

certificates

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.17]	The information on this page is for non-military use only.
	You are visitor number 11.	Military use includes use by defence contractors.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/Mindprod website mirror)
	http://mindprod.com/jgloss/certificatevendors.html	J:\mindprod\jgloss\certificatevendors.html