[ivraatiems]

For a while, I ran a small non-profit gaming site. This was well before Let's Encrypt, so we looked to StartSSL for a free certificate. They denied us.

Why?

Because we had links to a Paypal account set up to take donations. Even though PayPal had its own security, and we were only providing a link to it, that was enough for them to deny us the cert. They refused to understand that WE would be conducting no financial transactions using their service; or that PayPal was a separate entity.

It was maddening, and we ended up abandoning the whole idea of having SSL. Would that LE had existed.

[vacri]

Conversely, when I went for an SSL cert for my company, they called me (from Israel) on a phone number for our company taken from public sources, in order to verify we were who we were. Compare this to some other SSL providers, whose certification process is "can you give us $600?"

[Buge]

Was that an EV certificate? EV and DV certificates certify different things.

[vacri]

No, it wasn't an EV cert. It was whatever their level above the first level is (can't recall, it's been a while, but it wasn't for EV)

[leni536]

From their policy:

> Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only.

AFAIK simply taking donations counts as "commercial purpose". You are free to dislike their policy though.

[ivraatiems]

Sure, okay, but the certificate would never have been used to transact those donations. If you own a car, and you don't want dogs in your car, what does it matter if I put my dog in someone else's?

[damurdock]

I think they just care whether or not you're making money with the site period. As in, money that could potentially go towards a paid certificate.