[reipahb]

This being Amazon AWS gives me hope that this will be a CA with an API that allows automatic certificate issuance for domains you control. I find the process of issuing and reissuing certificates for all sorts of services to be an increasing amount of work as more and more services move to https.

(The letsencrypt.org CA is build around automated certificate issuance through an API, but some competition wouldn't be a bad thing.)

[agwa]

Check out SSLMate, which has been automating certificate issuance since early last year: https://sslmate.com

We have both an API and a highly scriptable open source command line client.

[techsupporter]

Seems very clever, but I have to ask:

> DV certificates are $15.95/year per domain,

Not a bad price, very much one I'd be willing to pay in order to get certificates via a CLI.

> or $149.95/year for unlimited sub-domains.

Ouch, 10x for a wild card? Why do issuers do this? It really puts a crimp on the whole "hobbyist doing hobbyist things" since that's $150/year just to not have cert errors on a single domain.

(FWIW, I'm deliberately excluding StartSSL for a variety of reasons.)

[shabble]

The cynic in me presumes that it's to make up for the lost cash in charging you individually for all those subdomains.

What do you mean about cert errors on a single domain [requiring a wildcard]? Because you use a lot of subdomains, or the bare domain/www. prefix?

If it's the latter, I think some (many?) registrars may let you add one or more SubjectAltName[1] values to a single cert for free or minimal cost, at least compared to a wildcard.

[1] Other values for which the certificate is considered valid: https://en.wikipedia.org/wiki/SubjectAltName

[somesay]

I wonder why you're excluding StartSSL. It's no matter if you trust them as long as all major OS/browsers trust them.

[digi_owl]

Could be it also discourages script kiddies from pulling antics.

[madaxe_again]

Not sure why you've been downvoted - this is pretty much the reason for elevated pricing of wildcard certs. They are more open to abuse (have seen them used for phishing sites), so the issuer carries a higher risk of having to do additional management around the cert (i.e. revocations), so therefore charge more.

[rylee]

    Wildcard SSL

        $149.95
        / year

This is incredible prohibitive to me considering it. :-(

[rmoriz]

maybe sslmate can make a deal with GlobalSign/AlphaSSL for wildcard DV certificates. At least there are resellers out there that offer wildcards for 42$ https://www.ssl2buy.com/alphassl-wildcard.php but of course suck at API/automation. I've seen other resellers (usually lowendtalk-VPS) selling AlphaSSL wildcards for below 40$/y in the past.

[rylee]

Yep, I use AlphaSSL right now. It's been doing me well for the past year, so I just renewed a couple days ago. No regrets at all.

[kolev]

Let's Encrypt is nice for your web server, but using that certificate at the ELB may not be so trivial. I hope that Amazon will offer free SSL certificates for ELB. Their custom SSL certificates for CloudFront currently cost the outrageous $600/month (well, $20/day), and recently they added free SNI certificates, so, for CloudFront, they still may charge us, but, hopefully, a lot less than the crazy $600!

[nailer]

Nearly every CA already has an API to do cheap/free level (DV) SSL certificates for domains you control - all you need is one of:

- an admin-looking email address

- email mention in whois

- ability to upload a file

- ability to add a DNS TXT record.

Yes, that's a fairly low bar, that's why live.com gets taken over every few years with the same fake-DV-cert attack. This is also why EV certificates exist. Disclaimer: https://certsimple.com, where I work, sells EV certificates, we specifically don't sell DV certs.

[raesene9]

Unfortunately I don't think that the level of differentiation provided in current browser implementations to EV certificates has users noticing when they get one.

I'd consider myself relatively security-savvy and I honestly couldn't tell you which of the sites I visit uses EV certs, and I'm fairly sure I wouldn't notice the browser bar change from green if a site got MITM'd with a valid DV cert after having an EV cert.

Pinning obviously helps in that case but AFAIK that works just as well for DV certs as EV.

[iancarroll]

Certly (which I founded) is working on an API for doing exactly this. You'll have to write your own tool to query our API (for now), but who knows what'll happen in the future.