| Here's how I think it works: Cert issuing companies are in business because they somehow got Firefox, IE, Opera, etc., to include their authority certificate by default in the browser. You could start your own competing service but you'd somehow have to overcome that obstacle. Second, many of those companies offer "business validation" services. This is the more expensive cert, maybe $400 or more. They make sure you have a D&B number, and ideally do a bit of auditing to be sure that you are legit. So if you are one of those companies and you can make money just for selling a cert, and without having to do any sort of audit, why wouldn't you? With such a basic cert you are mostly just allowing users to have ssl transport without an annoying browser message. That is worth something. There are even cheaper ones that use a second cert which I think is just a basic part of SSL. You could buy a cert and then issue certs, and as long as the web server includes the full chain, it should be OK. |