certificatevendors.html : Java Glossary

I thought you would like to see the prices on this webpage in  , but you can change that instantly, thanks to the Canadian Mind Products CurrCon Applet that you too could use on your own website to display prices in any world currency using today’s exchange rates.

Digital certificate vendors; where to buy certificates and which types each vendor carries.

Digital Certificate Vendors
Company	Types of Certificate Sold. All prices are in
Company	Types of Certificate Sold. All prices are in
A-trust	Code signing certs. per year. SSL (Secure Sockets Layer) certs per year. Site is in German. Last revised/verified: 2011-10-31
Actalis	Italian certificate authority. Website is only in Italian. SSL certs. Install roots. Last revised/verified: 2009-08-09
Affirm Trust	SSL. Last revised/verified: 2011-10-31
CaCert	Welsh certificate authority. Free SSL , SMIME, IM and Open Office digital signing certs. Java, Authenticode and Mozilla XPI Code Signing Certs after you acquire 100 points of trust. Install root certs. Last revised/verified: 2008-03-04 Disadvantages: Browsers don’t come with the CaCert.org root certs pre-installed. That is a political problem to talk the browser makers into including them. The documentation is more than usually geekish. The scheme works with a web of trust, similar to PGP (Pretty Good Privacy). This requires you to engage in a time-consuming set of meetings to establish your identity by accumulating enough trust points.
Certs4Less	Sell Thawte certs for per year
Certum	A Polish company offering over a dozen different types of certificate including code signing certificates. Code signing certificates are free for anyone involved in an open-source project. They also offer a free timestamping service to provide undeniable proof that digital data were not modified or backdated. Prices are higher than previously, but still well below the competition: e.g. for a Java code-signing certificate and to renew. Unfortunately, code-signing roots are not built into cacerts. Last revised/verified: 2007-04-23
Camerfirma ( not Camerafirma)	Spanish. Last revised/verified: 2013-02-09 Sell SSL, code signing and many kinds of certificates I have never heard of.
Cren	Institutional Certificates, e.g. entire universities. Cost is per institution based on size.
Comodo aka InstantSSL	SSL certs from free to  for a one year. Comodo owns the following root certificates: UserTrust Network/AddTrust, AAA Certificate Services, Secure Certificate Services and Trusted Certificate Services. These roots are present in Opera and IE (Internet Explorer). IE has Comodo-branded certificates in the Intermediate Certification Authority Section. This is the important place for Authenticode certificates. The AAA Certificate Services root certificate is present is Java’s cacerts. The usual problem with using a low cost certificate is not everyone has the root certificates pre-installed. Comodo does not appear to have that drawback. Authenticode Code Signing certificates for *.exe, *.ocx, *.dll, other *.cab files, or PAD (Portable Application Description) *.xml files are for one year. Last revised/verified: 2012-12-15
DigitCert.com	SSL cert  per year. Last revised/verified: 2007-04-23
Ebizid	SSL Cert  to  per year. Last revised/verified: 2007-03-23
Entrust (USA)	personal email certificates(free), SSL Server(free), VPN (Virtual Private Network) [VPN] (free), SET (free). Free certs are 60-days for testing only. To use them you must first load the Entrust root authority cert into your browser. The code-signing certs appear to have been dropped. Production SSL certs for  a year. Last revised/verified: 2007-03-23
Firmaprofesional	SSL, code signing, many others. Site is in Spanish. Last revised/verified: 2011-10-31
GlobalSign	PersonalSign Demo dual purpose S/MIME (Secure Multipurpose Internet Mail Exchange) email and SSL client certificate: /year. Opera already has the necessary root certificate installed. PersonalSign 2 email cert  /year. PersonalSign 2 pro qualified email cert, also for digitally signing documents /year. PersonalSign 3 pro qualified email cert, requires you to visit GlobalSign office to present your credentials. /year. One-year ObjectSign certs can be used to code sign Java (probably just the old MS signing), JavaScript, ActiveX, VBA (Visual Basic Applications) etc. /year. SSL or TLS (Transport Layer Security) Server /year. Last revised/verified: 2007-03-23
GoDaddy	SSL certs to  per year. Last revised/verified: 2007-04-23 Authenticode code signing certs  per year. Last revised/verified: 2012-12-15
Ksoftware	Code signing certificate. Multipurpose. Handles Java, Authenticode and many others. Affiliate of Comodo. a year. This is a remarkably good price. Once you place the order, from then on Comodo handles everything. I have ordered a two year certificate. I need to check though that their root certs are preinstalled everywhere I want to use them such as Java cacerts, Excelsior Jet, Windows, Opera and other modern browsers. I have not yet found the root certificates to check, though the company assures me they are universally supported. I also read about some people having trouble using Comodo Authenticode certs to sign PAD XML (extensible Markup Language) files. The vendor says they have successfully signed PADs (Portable Application Descriptions) with them. They also offer a free document signing service with timestamping. Your general purpose certificate is good for this too. requirements. It is best to use Firefox or Chrome to apply, not Opera. Applying for a code signing certificate is quite a production. You must provide multiple proofs you or your company is who you claim. They take Visa, MasterCard, Discover, American Express and PayPal.
Let’s Encrypt	Free SSL certs, but valid only for 30 days. I find this odd since it greatly increases their overhead.
SSL Shopper	Sell Java code-signing certs from four different companies.
QualitySSL, née InstantSSL	128-bit SSL certificate per year for Intranet SSL to  per year for wildcard. Last revised/verified: 2007-04-23
TC Trust Center	personal email certificates  . SSL 1 year. Mobile Java 1 year. Java code signing 1 year. corporate root trusted authority certs. time stamping. Last revised/verified: 2010-08-16
TrustWave née SecureTrust née XRamp	EV (extended validation) SSL certificates  Last revised/verified: 2007-03-23
StartSSL	free SSL certificates. Free actual certificates, not test certificates. This sounds bizarre. How do they make money? What’ the catch? Last revised/verified: 2010-03-26
Serifitseerimiskeskus	SSL. Site is in Estonian. Last revised/verified: 2011-10-31
Symantec	Symantec offers a timestamping service with their certificates. They offer code-signing and SSL certificates. SSL certs are to per year. They have four kinds of code-signing certificates for a year. Code-signing certificates use 2048-bit keys.
Thawte Certification (South Africa)	I like Thawte. They are friendly and co-operative. Personal email S/MIME certificates(free). Use a web of trust scheme to make them more valuable that the usual free email certificate. Free SSL test certificates. JavaSoft Developer Certificate: These certificates can be used with Oracle’s Java version 1.3 and later to sign Applets. /year. Apple Developer Certificate: These certificates can be used by Apple developers. /year. Microsoft Authenticode (Multi-Purpose) Certificate: These certificates are used with the Microsoft InetSDK developer tools to sign ActiveX controls, .CAB, .EXE and .DLL files and other potentially harmful active content on W95, W98, Me, NT, W2K, XP, W2003, Vista, W2008, W7-32, W7-64, W8-32, W8-64, W2012, W10-32 and W10-64 Authenticode certificates only work with Microsoft IE 4.0 and later. /year. You can’t use generate or sign with the certificate on Vista. Netscape Code-Signing Certificate: These certificates are used to sign Java Applets, browser plug-ins and other active content on the Netscape Communicator platform. These certificates are used to sign Java Applets, browser plug-ins and other active content on the Netscape Communicator platform, i.e. in the old days of Java version 1.1 and 1.2. /year. VBA Developer Certificate: /year. These certificates are identical to Microsoft Authenticode certificates and are used by developers to sign macros in Office 2000 and other VBA 6.0 environments. The thing that blocks you from interconverting Thawte certificate types is that you can’t convert Sun keytool certs to PKCS (Public-Key Cryptography Standards) #12 because keytool.exe refuses to either export or import a private key. It uses the same format for public certs. You can get around this restriction with tools from third parties e.g. BouncyCastle.org. Download one of the providers. You want to do this so you can import your full certs into other signing tools, such as Netscape jarsigner. Basically you configure a little java program called BCMain to export the certificate in PKCS12 format using the BouncyCastle JCE (Java Cryptography Extension) . That exported file contains both private and public key. From there, you can import it elsewhere e.g. with keytool.exe. You can use a Netscape signing certificate for The Java plug-in 1.1 and 1.2, if you use the old Netscape RSA (Rivest, Shamir and Adelman) jar signing tool. For Java version 1.3 or later, you need a separate RSA certificate. Thawte no longer make Sun DSA-style certificates. The Thawte website is ambiguous about this, saying it requires a different type of certificate, but not that it requires a totally separate application process and fee. The fault lies not with Thawte, but with Sun, since Oracle’s keytool.exe refuses to import or export private keys from the .keystore file. Happily, Thawte code-signing roots are built into cacerts.. SSL Server from /year to  PGP certificates are no longer supported. Sadly, Verisign bought Thawte out in 2000-02. Thawte is a much nicer company to deal with than Verisign. Last revised/verified: 2007-03-23
TuCows	Authenticode for signing PADS and Microsoft apps. Comodo 1 year  , Thawte 1 year  .
Turktrust	SSL , document signing. Site in Turkish and English. Last revised/verified: 2011-10-31
Verisign	Symantec bought out Verisign then killed it. Verisign was the prestige company for certs. If any cert will be supported, recognised and accepted, it used to be Verisign. However, dealing with Verisign was like dealing with IRS (Internal Revenue Service) bureaucrats, very cold and businesslike. They were more set up to deal with large corporations than individual developers. Their website was well organised so you can quickly find the certificates you need and the prices. personal email certificates /year. Javasoft Code-Signing Developer Certificate for  Java version 1.3 or later  /year and  for the pro version. The pro version offers rush delivery, 2 days instead or the usual 3 to 5, a 45-day free trial, and  insurance instead of  . They have never yet had a claim on the insurance. Microsoft Authenticode /year and for the pro version. These certificates are used with the Microsoft InetSDK developer tools to sign ActiveX controls, .CAB, .EXE and .DLL files. Visa SET. 128/256-bit SSL certificate. Extended Verification SSL certificate. Microsoft Office and VBA Netscape Macromedia Shockwave Marimba Castanet Channel Certificate types cannot be converted into each other, though the Java code signing cert can reputedly also be used for Microsoft Authenticode. Verisign does’nt give details on how this works. You have to buy multiple certificates if you need more than one type. Happily, Verisign code-signing roots are built into cacerts.. Last revised/verified: 2008-06-09
Verizon (USA)	née Cybertrust. Java code signing certs for  . Sell SSL certs for  a year. EVL SSL   a year. Last revised/verified: 2011-01-05

Selecting a Vendor

• Are the root certificates (code-signing or SSL ) of that vendor built into the browsers your clients will be using? You can find many more vendors if you look in the lists of root certificates in various browsers. However, you want a vendor widely supported by many browsers or your customers will have to manually install the CA (Certificate Authority) root certificate to use your site.
• cost, both initial and renewal.
• Does the company provide all the different kinds of certificate you will need. It is much less hassle to get everything from one source.
• What sort of reputation does the vendor have for service? Basically you are paying them to verify that you are you. You want them to do that thoroughly without driving you crazy.

1. They have low prices.
2. They have friendly, responsive staff.
3. They are based in South Africa, less likely to be coerced into disclosing information they should not by the CIA (Central Intelligence Agency) or the US government.
4. They are not subject US encryption export laws.

Consider buying a 2 or 3-year certificate. It costs less per year. It takes less of your time to buy and install it and you don’t have to reissue all your signed code each year because of an expired certificate.

Why are Certificates so Expensive?

Certificates cost almost nothing to manufacture. It costs the vendor nothing extra to use a fat key size. It costs the vendor pennies to renew a certificate for another year. So why are they so expensive?

The vendor has to research and vouch that every fact attested in the certificate is indeed true. This requires human labour. Usually there are problems. Vendor staff have to email/phone back and forth with the customer to resolve them. Very few customers are technically competent in certificates. They require handholding to apply for and install them. The more facts, the more labour, the higher the cost.