[BillinghamJ]

Honestly, while StartSSL's front-end is awful, their practices always seem to far exceed other CAs - especially around verification.

I don't enjoy the website, or the verification procedure, but ultimately I generally trust them pretty highly - they operate in a way which shows me they care about security.

[creshal]

We've been generating certificates in direct violation of their TOS for over six years. Every few years they pretend to find out, we do another blatantly non-compliant verification, fork over 120 dollars, and they let us keep printing certificates.

[debaserab2]

Went through the same headaches for a few years. Their atrociously unfriendly and unintuitive interface finally just pushed me over to using a cheap alternative that is much less painful (RapidSSL in our case).

[creshal]

Until Let's Encrypt came around we've heavily depended on wildcard certificates (several domains with 100+ customer facing subdomains), so any other alternative would have been massively more expensive.

But with LE allowing scripted certificate generation, we're just moving to that instead.

[haroldp]

How do you plan to get around LE's 5 subdomains per 7 day period limit? You can only get about 60 subdomains in theory, and that only if you stagger the registrations out carefully over three months and never make any mistakes.

[jewel]

If appropriate for your use case, you can get your domain added to the public suffix list [1]. Then the restrictions no longer apply.

This has side-effects with browsers and cookies so you wouldn't want to do it on a domain without understanding the impact.

[1]: https://github.com/publicsuffix/list/blob/master/public_suff...

P.S. In the unlikely event that someone involved is reading this, PLEASE make this a DNS attribute that is set on the top-level domain instead, in a TXT record perhaps. It's silly that we have to have a globally coordinated and distributed list for this data.

[pfg]

> P.S. In the unlikely event that someone involved is reading this, PLEASE make this a DNS attribute that is set on the top-level domain instead, in a TXT record perhaps. It's silly that we have to have a globally coordinated and distributed list for this data.

The Dbound WG[1] was working on this, but sadly didn't seem to get anywhere.

[1]: https://tools.ietf.org/wg/dbound/

[pfg]

You can get up to 100 SANs on one certificate, which will only increase your rate limit counter by one.

Works nicely if you have a (mostly) fixed list of subdomains, but becomes hard or impossible to manage if subdomains are dynamic.

[creshal]

You can get 100 subdomains per certificate, you're only limited to 5 certificates per domain per week.

That's largely sufficient for our use case, but we're still staggering renewal for certificates on our main domains. So far it's no problem because renewal is fully automated and we're leaving buffers.

[BillinghamJ]

That's interesting. If you don't mind, what rules are you violating?

[creshal]

You're only ever allowed to use your account with the person you validated with. You cannot share an account, e.g. between employees of the same company; if you want to transfer an account to another person over your vacation, you have to create a new account, re-validate, and recreate all certificates on the new account.

Obviously, we said f*k that and just registered everything on the CEO's name and have him do the phone verification.

[BillinghamJ]

Oh right, yeah. I'm pretty sure every company violates that particular rule :P

[chris_wot]

Every company that does this loses all their auditing capabilities on the systems that use these accounts. Not good.