I’ve written before about the need for a good SSL (TLS) certificate for even the most mundane sites and suggested using HSTS to make sure visitors are secure. I’ve always believed that the success of this blog in Google search results for AWS and PowerShell topics is due to a combination of the content and the effort to make the site responsive and secure.
I’ve also been a big supporter of and have used Let’s Encrypt on this blog since the project’s early days. Let’s Encrypt hits its target in a way other free TLS certificates haven’t: it removes the cost and ease-of-use barriers to a good quality certificate. With Let’s Encrypt there’s no excuse to not have a working certificate for your site.
But Let’s Encrypt wasn’t designed for enterprise (today, meaning cloud computing) users. Its certificates are only good for 90 days. Their wildcard support is nascent. And there’s no enterprise-style support. These aren’t knocks on Let’s Encrypt — just a statement that for certain classes of applications, you need to seek out a certificate authority that provides the kinds of products and services at enterprise scale you can use, for example, in AWS load balancers (if you aren’t using AWS’s certs).
In my experience, you can cut the search for a great CA down to exactly one company: DigiCert. After hearing Steve Gibson’s repeated endorsements of them, I first used them three years ago by purchasing a wildcard cert for a client. Man, did we get our value out of that cert. I can’t count the number of systems and browsers which embedded that single wildcard cert. But I can count the number of times it was an issue: zero. Plus, DigiCert offers unlimited free duplicates and will custom generate a cert for you when you need a specific subject name (as long as it’s in the wildcard’s “base” domain). Best of all, they typically generate a non-complicated cert in minutes. It just couldn’t be higher quality or faster.
If you’re following along, you noticed I said I purchased a cert three years ago. It’s now renewal time. As always, that was a no-hassle experience with DigiCert. And getting the renewed cert installed on AWS was a no-brainer. But this client runs an internet-exposed SQL Server. Replacing the expiring cert on that instance, and in particular, making it work with SQL Server Reporting Services (SSRS) turned out to be a bear.
I tried everything; Bryan at DigiCert tried everything with me. We generated new certs; we used different CSRs; we compared certs field-by-field. Nothing worked — until, as a parting comment, Bryan said he wondered if SSRS wasn’t cleaning up after itself. It wasn’t, as you can read in my updated post, linked just above.
It’s that kind of support — the kind that sticks with you even when it isn’t the vendor’s problem that sets DigiCert apart. And it’s why, if you need an enterprise grade SSL certificate, you should buy it from DigiCert.
(NB: Bryan said that if I discovered the issue and sent him the link to the updated post for their internal wiki, DigiCert would comp me a one-year cert. So, this blog is now featuring a spankin’ new DigiCert wildcard cert until next year. Thanks, guys!)