Certificate Fun – StartCom

I have been using StartCom for certificates for quite some time, because they offer them for free and have always been reliable.  This was the case for both work and home.  This blog runs on my home server.

Thanks to some funny business by the company that purchased StartCom, they have been targeted for distrust by major browser vendors.  Mozilla opted to distrust all certificates issued by StartCom after a certain date.  Google initially did the same thing with Chrome, but later they got more aggressive.

At work, we actually paid StartCom for their service, because we wanted to create certificates that they don’t issue for free.  We only had one certificate that ran afoul of Mozilla’s changes, all the rest still work just fine in products like Firefox and Thunderbird.  At home, I had a number of certificates issued after Mozilla’s cutoff date.  I was definitely caught off guard.

At work, I obtained a new certificate from LetsEncrypt to replace the one certificate that we couldn’t use any more.  At home, I didn’t take any immediate action, even though most of my personal secure sites began failing in both Firefox and Chrome.

Then, as mentioned above, Google got even more aggressive in Chrome version 58, and suddenly most of the certificates at work were failing validation in Chrome.  A few that were really old and approaching expiration still worked.  Keep in mind that every single one of these certificates was still accepted without issue by Firefox.

We have mostly fixed the problems at work by obtaining an relatively inexpensive certificate from one of StartCom’s partners that contains wildcards to cover most of the certificates that we could no longer use.  For some of the rest, I have created LetsEncrypt certs.

At home, I have just completed a migration to LetsEncrypt for ALL of my active domains, including this blog.

All of the problems that StartCom has encountered were due to the actions of another company.  I think it was unfair of the browser companies to mark them guilty by association … but my opinion counts for little.

Distrusting New WoSign and StartCom Certificates

I have a solution, but it will require more effort to maintain, because LetsEncrypt certificates only last for 90 days.

Published by


Faced with the choice between changing one's mind and proving that there is no need to do so, almost everyone gets busy with the proof. -- J.K. Galbraith

Leave a Reply

Your email address will not be published. Required fields are marked *