It wasn't me. You can't prove anything.


2011-04-26

SSL blows

Every step of SSL certificates is like pulling teeth to me. I'm not sure why. I get the basic idea of how this crap works. It is the details that kill me.

  • Buy a cert from a company.
    • Who do you go with?
    • Why is the price so frigging staggered all over the net?
    • Why is it cheaper in other countries?
  • Get a specific key off your machine from the correct software.
    • Doing this is different on all servers.
    • On renewals, can I use the old key?
  • Give that key to the place your bought the cert from.
    • Do I need to select a dedicated server or a third party dedicated server?
  • They generate a cert.
    • Wait until the "approve" you.
    • Make sure you know exactly how it will be used because the files are customized for that service.
  • Install the cert on the box you generated the key from.
    • Install multiple certs including a couple that make no sense.
    • The old cert is still hanging around. Do I remove it?
  • Somehow coax the software you need to use the cert.
    • Hold it, where are the settings for this? Does my software just need the cert attached to the web server on the box?

Every step is fraught with peril. All of these are times the number of certs you have to deal with. One of my bosses won't let me buy three or more years at a time because "We will forget to renew in time." Bah!

For example, I had to call support at our issuing company in order to figure out where the link was to renew an existing cert. It turns out I was just looking in the wrong place. It also turns out that you don't really renew a cert, you buy a new cert and start the process over again. I have to tell you that the guy had amazing patients with me. I know how frustrating I can be when I can't figure something out that I feel I should know.

Why is this so hard? Shouldn't industry make it easy for people to make their systems more secure?

No comments: