I am developing a event website ( on php and mysql ) which requires online payment for event registration. The payment gateway we have purchased from a bank. The bank asks us to have SSL certificate for our website.. As banks websites usually have Verisign certificate therefore the people with whom we had a conversation told us to have verisign SSL certificate on our event website
When i checked Verisign.com then i found that there are many types of certificates available.
Secure Site Pro with EV
Secure Site with EV
Secure Site Pro
Secure Site
I want to know, is it enough to have the most basic of all.. what difference does it make with different options which are available with verisign. i still believe that the people at the bank have no knowledge of other companies providing SSL certificates. So can i use godaddy or other SSL Certificate providers instead of Verisign.
please help if anyone have worked with payment gateways and SSL Certificates..
You can use any SSL certificate you want. The SSL certificate and payment gateway are independent of each other and one does not directly affect the other. So you can use Godaddy or any other SSL provider you want with your payment gateway.
Related
I have an online shop and I've just installed a new SSL certificate and it was free. It does seem too good to be true. I'm a very cynical type of person.
I don't know about different types of SSL, but I just need to be able to accept payment data (I'm using a PayPal add-in on Opencart).
I got my certificate from letsencrypt and they don't explain much on there website.
But if you go to my website Gwenllian-retail you will see the certificate. Can I handle financial transactions with that?
If not what type of SSL do I need?
One does not need much money or complicated software to create valid SSL certificates. I could create my own with ease, if I wanted. In fact, I have done. There is no reason to think that LetsEncrypt certificates are somehow of a wrong kind.
The question is whether people will trust those certificates, and that comes back to whether they trust the Certificate Authority (CA) that signed them. If I sign my own certificate and present that to someone as proof of my identity then that other party has no more reason to trust that the data within accurately identify me than if I just told them directly.
LetsEncrypt serves as the CA for SSL certificates it provides. I have never relied on them for a certificate, but according to hosting company DreamHost, LetsEncrypt certificates are trusted by all major browsers. (LetsEncrypt makes the same claim about itself, too.)
Again, all this trust business is mostly about authentication: whether the entity that presents the certificate (your web site) is really the entity that it says it is. It is not about the nature or quality of the encryption with which the session is secured. That comes down to the capabilities of the two endpoints, and is largely independent of the certificate.
Let's Encrypt is a well known service backed up by many big players. So yes, it's OK to use it in on your site. BUT ! SSL certificate is not everything, it's only one of many shields to protect you application.
I recently purchased EV ssl certificate from comodosslstore.com for my site, which is hosted on GCP and purchased domain from bluehost but now i'm getting some issues to verifying my identity and getting troubles in verification process for my ssl certificate.
So, someone can please tell me what exactly i should do for this verification process, like what should I do as a individual person. Thank you
You will need to follow the rules set by Comodo. The best place is to ask them.
Their job is to provide with reasonable certainty that you are who you say you are.
I have been thru this process many times. They want to see a published phone number in your name that they can verify using public resources. For US companies a Dunn&Bradstreet verification, business license, articles of incorporation, etc.
Comodo will decide which methods that they will use to verify you.
If you are purchasing an SSL certificate as an "individual" you will have difficultly. An EV SSL Certificate means "Extended Validation". Comodo will make a serious effort to verify you and your business and if they cannot, they will not approve your certificate. If you are not a registered business, I wish you luck obtaining one.
If you are not a company, you are a high risk for financial transactions. My advise is to switch and just use a DV SSL Certificate. This is cheaper, requires fewer verification steps and is much easier to obtain. I also recommend to most companies that are not processing financial transactions (credit cards) to use Let's Encrypt. Move your shopping cart to a vendor such as Shopify so that you are not involved in transactions. PCI compliance is difficult and expensive.
7-Stage Authentication For EV SSL Certificates
The EV Enrollment Form
Organization Authentication
Operational Existence
Physical Address
Telephone Verification
Domain Authentication
Final Verification Call
Remember, Whole validation process for EV SSL certificates can take up to a week.
You can get it in deep from this article.
I am working with a client who would have website as .com, .in, .com.au, .jp, .eu etc. We are planning to buy an SSL. Its a eCommerce site and needs to be secured. What SSL certificate should i choose to support various domains together?
Should i buy a SAN certificate? I would need some directions here. What will show up when some one clicks on the certificate of .jp webiste.
You are correct. You will need a unified communications (UC, SAN) certificate. Each TLD being different causes the domain to be different.
A UC certificate will let you bond all of the domains under one trust relationship. However, I would recommend just having different SSL certificates for each of them unless you plan on running them all on the same host machine.
Another potentially viable alternative, depending on how many other certificates you will need, would be to apply for a certificate authority (CA) trust with say VeriSign or any other CA. This would let you control your own enterprise PKI and issue any number of certificates while only paying one very large fee up front.
I want to use SSL (https) to secure communication. Is it possible to do it without buying a certificate of some sort?
You can use a self-signed certificate (google it) but your users will get a message saying the certificate is not valid. The traffic will still be encrypted, however.
The reason you have to pay a third party for a "valid" SSL certificate is that part of the purpose of an SSL certificate is to verify the authenticity of your server. If any body could issue an SSL cert with any information they wanted, what's to prevent me from setting up an SSL certificate using Walmart.com's contact information and tricking users into thinking my site is a branch of walmart.com?
In short, you can get the encryption part for free, but if you want to avoid browser identity warnings, you'll need to pay for a third party cert.
You can self sign a cert, or get one from cacert.org or a related free signing community. Most browsers will throw up warnings, so you shouldn't do it for production (if you are an ebusiness), but during development, or if you don't care about the warnings, it's a cheap alternative
As others have said, you can simply and easily use self-signed certificates or set up your own certificate authority (CA) and then issue as many certificates as you want. All these certificates are as valid as the "commercial" ones issued by the big CAs, so there is no technical difference between your certificate and the one from, say, verisign.
The reason most browsers and other client applications warn about your certificate is, that they do not know and therefore not trust your CA. Browsers usually come with hundreds of well-known CA certificates everyone automatically trusts (if thats a good thing, well...), so you don't get a warning when visiting amazon.com via HTTPS. In Firefox, you can go to "Preferences" > "Advanced" > "Encryption" > "View Certificates" to see which CAs or individual certificates your browser currently trusts.
In the end, it's a question of whom you and the users of your service trust. If your users know and trust you (say in company network or a small development team), they can add your CAs certificate to the trusted certificates in their browser. From then, every certificate issued by your own CA will generate no warning and will be trusted just like every other certificate.
I'm writing a billing module for a startup i'm working on. It's my first time buying an SSL cert. I only need a cert for a single domain. Is the standard SSL cert from godaddy ($29.99/yr) all that I need?
I plan to get an authorize.net compatible merchant account and didn't know if they would require the deluxe or premium certs. I'm side strapping this business so I'm trying to do it on the cheap. Thanks
Different certificates sold through the lucrative business of Certificate Authorities carry different price tags, for a few reasons. The most noticeable to clients visiting your web site is how much information the CA decided to "assure", based on how much you paid.
If you could convince your clients that a self-signed certificate has indeed not been compromised, and guarantees no eavesdropping-on-the-internet, then you could get away with $0 certificate cost.
However, users want more than that.
The GoDaddy standard certificate offers domain validation. GoDaddy is recognized by browsers, and will tell your clients that yes, we issued this certificate to https://billing.yourhost.domain, and if you see a website called https://webstore.yourhost.domain using the same certificate, there will be an error in the validation.
Depending on your needs to give client assurance, you may require/desire a certificate for which GoDaddy or another provider will validate a point-of-contact with a business so that when I visit https://billing.washingtonwidgets.com, I can see that this Web site is registered to "Washington Widgets, Ltd.", as opposed to someone who can buy a DNS name for $5 and open up https://paymeinstead.therealwashingtonwidgets.com. This is more "assurance" against spoofers. A spoofer may be able to get a domain validated certificate for a web site which carries a similar name to yours. This extra "assurance" costs more, and several large companies will back the assurance with a warranty, too.
A new type of SSL called EV SSL is marketed to represent one of the highest levels of assurity, and browser vendors are participating in presenting notification to users in a clear manner when a site uses an EV SSL certificate.
An aside from SSL: Now, do you need your own site to be secure? Or can you write a billing module and send a ticket off to a third party ticket billing site such as PayPal, authorize.net, etc. The term you want to look for is payment gateway. Often times these services will charge a small commission, instead of a yearly premium for a similar, but different kind of assurance. They usually offer API's that you can link through your application to create an end-to-end billing experience.
You need to buy a cert from a trusted root authority for your specific domain. I would talk to your hosting provider, as they will need to install the cert etc and may have a mechanism in place for you to go and buy one.
If you're really trying to do it on the cheap, I would def recommend paypal or any other similar service over rolling your own.
Edit: Also, this isn't programming related, maybe something along the lines of "What would a low cost, easy to implement, billing solution be?"