How to choose a certificate authority
Linux Box Admin gives a brief look at which qualities to look for when choosing a certificate authority from which to buy SSL certificates. This article brings up some good points, especially about trust:
The goal of using SSL is to prove your identity (either as a server or a client). To do that, you have to trust the certificate authority, the certificate authority has to trust you (by verifying you are who you claim to be), and the client has to trust the certificate authority. If you pick a CA that your clients don't trust, you lose business.
The procedures and policies used by different CAs to verify your identity are not uniform. Sometimes, a CA will require printed letterhead with the address of your organization on it and follow up with a phone call to the contacts. Some go further and look up Dun and Bradstreet information or use online resources. One CA I worked with recently required that the domain be listed in a particular WHOIS database. These details may add to or diminish your confidence in the judgment of a CA. One that does no verification at all won't instill a lot of trust in your clients.
Originally posted on Sat Jun 30, 2007