If you don’t want to read the details, then the title is enough. StartSSL is fine if you want a free certificate. Once you decide to give them money, you embark on a journey down a road of pain and frustration. I haven’t written a blog post in over a year but right now I’m feeling so frustrated that I have to put my thoughts down somewhere and I thought if I can save one other person the same struggle, then maybe it’s worth sharing.
A few weeks ago, I decided that I’d had enough of gmail and zoho and other mail services and so I began the process of hosting my own email. This is a daunting task, but I’ve experimented with it before and I work as a professional who deals with email “internals” and so I know what I’m getting into. I found a great series on Ars Technica by Lee Hutchinson called “Taking back your email” and in part 2, Lee warns that if you don’t have a valid SSL cert for your server, you’re going to have a bad time. He recommends StartSSL because they’re known for their free option and Ars had posted about them before.
I don’t want to host one domain’s email though, however. My plan is to host my personal email (I have a couple of domains, including this one), as well as email for my wife’s business, and the email for my now mostly-dormant side business. In total, it’s about 5 domains worth of email. This is important because a free StartSSL certificate is only valid for 1 domain. If you want to have a multi-domain cert you need to validate.
I was so excited about this process that I thought, “Sure! I’ll validate! I’m not doing anything illegal and this company seems to be trusted by a lot of people…” and then I paid them $59 to look at my identification. I realized then that my personal address would be on the certificates (if anyone were to look) and so since I’ve got an LLC formed I thought it would be a good idea to register the certs under that name and address. Of course, to validate the LLC costs another $59. During this process is where I started to feel something was wrong.
At first glance, the price matrix on the StartSSL site seemed to imply that it was $59 for personal identification and that business identification would be $59 because it required personal identification. There’s an asterisk that says “personal validation is required.” It was my mistake, of course: it’s $59 each for personal and business. I was okay with that, however. I thought “Okay, great! I’m now validated as a person AND a business. I’m double validated!” In addition, a business validated cert would be valid for 3 years, which I thought was awesome. I felt a little weird having given over to this company every piece of personal and business validation, but I thought since I wasn’t going to break any laws, and this company wasn’t some unknown Internet fly-by-night, that I wouldn’t have much to worry about. I trust people that have trusted them – it’s a chain of trust, not unlike the chain of trust that makes SSL certificates “work.”
So here’s where things went horribly wrong. I logged into the StartSSL portal, and filled out the form for my new certificate. I’ve paid up my money so I have an option to get a multi-domain certificate, and I add all of the domains I need to host. After I submit the form, it says it’s going to be held for moderation by an admin, which I didn’t think was a problem. My request was denied, however. I wrote to support to find out why, and I was told that a business validated account is only allowed to create certificates for their business. “Fine,” I said. My LLC is a technology business that handles email solutions (it is!) “I am hosting email for myself and my wife, so what’s the problem?” The problem, I was told, is that according to the StartSSL rules, you can’t have personal domains on the same certificate as your business domains. In fact, you can’t use your business validated account to create certificates for yourself, at all. The way it’s stated is: “Also note that certificates with an Identity Validation may be obtained only for personal domains and sites of the verified subjects. Certificates intended for an organizational entity (business, company, association etc.) must enroll for the Organization Validation. The subject of the certificate will state the validated entity.” So what that means is, I’m screwed. I paid nearly $120 dollars for a multi-domain certificate, and I can only use it for 1 domain, a domain I only use once-in-a-while, at that.
I explained that I was confused about this and “Refund is impossible” was the official response from StartSSL. PayPal said “We do not offer payment protection for virtual goods or services,” so there’s no help there either. I was so excited about my email hosting project that I lost sight of some important things. I should have done more research! Had I read about Dan’s experience in his post “Avoid StartSSL Like The Plague” – I might have saved myself the trouble. If I had talked to the people at namecheap, who assured me that their multi-domain option would be fine for my purposes, I might have saved some money too.
I’m not saying StartSSL broke any laws, or flat-out swindled me. I do, however, feel cheated. I like to think I’m a pretty smart guy – I’ve got a college degree, I’m a software engineer. I read “The subject of the certificate will state the validated entity” and thought “well, I’ve validated my personal identity and my business identity, so I’m fine.” Maybe I should have had a lawyer go over the T’s & C’s before giving up my money? I hope you avoid the same mistakes!
EDIT: Truth is, I never needed a multi-domain cert to accomplish what I wanted anyway – but my point still stands!