The importance of choosing the right SSL certificate issuer

In a previous post I have talked a little about where I prefer to buy SSL certificates. Comodo Group have this site called www.instantssl.com that is

• Cheap.
• Fast.
• Good service.

I renewed my company's certificate for our mail server yesterday. This is a trivial task and I could not see any challenges with this task.

Oh I was wrong. Our Windows Mobile cell phones did not handle this so well.

How does certificates work?

A certificate is a proof of something. All certificates needs to be issued by a known authority. Common well-known certificates are:

• Drivers license.
• Passport.
• Your identity card.

But how do you validate certificates you do not know? In the computer world we have something called a root certificate store. This store is a list of all issuers that we trust. Unfortunately, this list is maintained separately by each application or vendor. Here are some examples of different applications:

• Opera web browser
• Nokia cell phones
• Sony Ericsson cell phones
• FireFox browser
• Internet Explorer
• Windows CE (with variations; Windows Mobile and SmartPhone). CE does not share root certificate store with Windows. And it can be hard to add new root certificates.

A root certificate is the same as the certificate authority or issuing certificate.

The root certificate store in Microsoft Windows is updated by Windows Update and contains lots of issuers. Some applications, many from Microsoft, are using Microsoft Cryptography Services and benefit from the same root store.

Why the certificate issuer is important

The issuer of the certificate is important, because you need that issuer supported on your target device. On most devices you can add a new root certificate yourself, but if you have 100 devices from 10 vendors this task is time-consuming. And many SmartPhones are restricted from doing so. I came across some HTC phones the other day shipped from Dangaard. If I want to add my own root certificate they have to sign a deployment file. And they will charge me about €500 for the job. Easy money? :)

You should check your target applications for compatibility before you purchase a certificate!

Comodo and InstantSSL

Comodo does not have their own root certificate. Or at least - they are not using it.  But they have access to many root certificates via their own intermediate issuing certificates. In the past Comodo have issued certificates from GTE CyberTrust Global Root, but recently they have changed to AddTrust External CA Root. They claim to have 99.3% browser compatibility.

AddTrust is not support out of the box on Windows CE, and we have lots cell phones based on this operating system...

I called their technical support and asked what to do. They told me to create a support ticket on the web and make a new CSR. I did so and within a few hours they gave me a new certificate with GTE CyberTrust Global Root as the issuing certificate. This is the first time I used their support but it worked out well in the end!

References

• Information about Windows CE (and smartphone, Pocket PC).
• Tags: SSL, InstantSSL, Windows CE