Securing a Digital Certificate

by Dr. Ralph F. Wilson
Web Commerce Today, Issue 3, October 15, 1997 Securing a Digital Certificate is little better than going to the dentist to have a cavity filled. It can be a real pain.

1. Find out from your Web hosting service what procedure they want you to go through to secure your digital certificate.
2. Fill out the Certificate Authority's online form, and fax and later mail to them evidence that you are a legitimate business.
3. Make sure that your Web hosting provider does its part by generating a public key and sending it to the Certificate Authority.
4. Wait for them to process your application, calling them repeatedly when it seems to be taking too long.
5. Once you receive the digital certificate via e-mail, send it on to your Web hosting service.
6. Keep after your Web hosting service until they actually install the Digital Certificate on your website and you verify that it is working.

If your website designer will do all this for you, it is worth whatever fee you are charged.

But, unlike a toothache that you must have filled, sometimes you don't have to get a Digital Certificate at all if you can use your Web host's certificate. Not all Web hosting computers are set up to allow this, but if yours is, this is how it might work. As you may know, with many Web hosting services you can access your website with two URLs:

• Through your own domain, http://www.mystore.com, or
• As a subdirectory of your Web host's domain, such as http://www.webhost.com/~mystore/.

Web hosts might allow you to put your secure pages in a special subdirectory in your webspace, or alternatively, access any webpage in your site using your Web hosting service's domain, such as https://www.webhost.com/~mystore/creditcard.html. You'll need to ask your Web hosting service whether they allow you to use their Digital Certificate, and, if so, exactly how to access those secure pages.

Is there any disadvantage to using your Web hosting service's Digital Certificate? I don't see a strong downside here. If you change Web hosts, you'll just change the way your customer's access the secure order page, since you'd seldom if ever give out that URL publicly. Cindy Shopper will probably never know the difference, since she probably doesn't watch URLs on her screen, and since her transaction is no less secure. If possible, use your Web hosting service's Digital Certificate to save both hassle and dollars.

---

Contacts and prices as of October 1997:

Thawte Certification, South Africa, US$125 initial, US$100 annual renewal, and accept payment by accept payments by credit card, SWIFT, check, electronic funds transfer and cash. http://www.thawte.com

VeriSign, Inc., California. US$349 initial (US$449 for servers outside the US), US$249 annual renewal (US$349 outside the US). VeriSign argues that their higher price is justified by included insurance which covers against loss, and by their rigorous inhouse security procedures to safeguard sensitive information. http://www.verisign.com/products/sites/

---

You may read other articles from this issue