| Comments

One of the new features in Silverlight 4 is the ability to sign your XAP applications so that your out-of-browser trusted applications look more friendly (trusted) to your users, they come from a verified publisher, and they can take advantage of the auto-update APIs in Silverlight.

If you don’t know what I’m talking about, here’s some resources for some background:

Basically if you are writing a Silverlight 4 trusted application, you WANT to be signing your XAPs.  The XAP sign process uses the normal Authenticode process for code signing. 

Thanks to our friends at GoDaddy, they want you to sign your apps as well and have them delivered from a verified publisher!  They are providing Silverlight developers a 50% discount on their code signing certificates for XAP signing!  If you don’t have a code signing certificate, now is the time!

To participate in this offer, be prepared to have all your information ready.  Certificates are issued to individuals/organizations.  It is much more of a verification process than something like an SSL web certificate.  In fact, the process actually involves human interaction!  You will be required to verify your information on your submission and perhaps be required to provide documentation of verification (if you are an organization readily found on the web, this usually isn’t a problem).  Follow the steps carefully and specifically.  I also recommend using Internet Explorer to go through the process to be safe.  Additionally, you will only be able to pick up your certificate from the machine you requested it on…so don’t pave that machine until you get it :-).

To take advantage of this offer, visit the GoDaddy code signing area and start the process.  You can choose a 1- or 2-year code signing certificate to apply this discount (might as well go for the 2 years so you maximize the discount).  Add the code signing certificate to your shopping cart then add this discount code in the promocode area: MSSILVER.  This will apply the 50% (of regular rates) to the 1- or 2-year code signing certs in your basket. 

Then complete your purchase.  Once complete you’ll receive email instructions on how to redeem the credit you purchased and start the verification process.  Be patient…this is not a 5-minute process.  In fact, in some cases it might take a few days to complete the verification process.

This offer is only good from 20-April-2010 until 20-May-2010 and only on 1- or 2-year code signing certificates, so act quick.  This is a great chance to get a well-known certificate authority code signing certificate.  During the order process you will be given the option to choose a Certificate Authority between GoDaddy and Star(something)…I recommend sticking with the GoDaddy CA on this one.

I hope you are able to take advantage of this offer.  This is a certificate that you can use to sign multiple applications…not just one, so it is definitely a worthwhile investment.  Make sure you timestamp your codesigns!!!

Hope this helps!

| Comments

In IIS7 you can do very simple testing for SSL related site hosting.  It literally is like a 2 click process:

Enter a name for the cert and done, you now have SSL on your box.  Of course this is a self-issued/signed certificate so it will do you know good in the real world, but for most of the developer world it will work fine.  There may be those times, however, where things may not be quite working right and you want to eliminate the self-signed cert form the equation to make sure it isn’t the issue.

This was the need in my case.  I’ve been doing some messing around with secure services and Silverlight scenarios and ran into one issue that I needed to eliminate the self-signed cert and get a ‘real’ one.  Self-signed certs have a quirky behavior in browsers and I just wanted to eliminate that in my test.

I shouted out on Twitter an ask of “cheap ssl providers?” and got a few responses:

I always forget about GoDaddy when it comes to anything but domain registrations but they do have a lot of other services and this reminded me that they do have a good price on SSL certs ($30/year).  Having had previous experience (and happy with) InstantSSL I knew of their offering as well.  My goal was not to secure a beefy e-commerce system, or help secure personal information, etc.  I needed “https:” and that little icon :-) -- that’s it.  So for me, low cost was what I was seeking – I had no need for any of the deluxe offerings.

With that in mind I didn’t want to purchase a cert from each on of these just to see what the deal was.  That being said, this isn’t all too fair of a comparison of them all, but only 2.  Please keep that in mind.  GeoTrust was by far the most expensive and I can’t quite tell why to be honest.  RapidSSL was pretty on par with everyone else.  OpenSSL.  Well, it’s free if your time is.  I mean it isn’t necessarily integrated into every server environment (yes I know it likely is in Linux), so be aware that there is some setup there.  Remember my goal: fast and cheap.

GoDaddy was offering $15/year SSL certs and InstantSSL had 90-day free ones.  Both perfect for my needs.  I didn’t find out about GoDaddy’s deal until after I started down the path of InstantSSL (which you’ll see was quick).  GoDaddy’s $30 price tag for my purposes was enough for me to consider just doing the free 90-day one from InstantSSL. 

Both processes would require me to create a request from my server.  I’m taking that part out of the equation.  The time I’m talking about is from request to issuer to installation and operational. 

IntantSSL had a simple form.  I input my CSR text added my contact information and clicked submit. 

I was told I’d get two emails: one verifying me as the domain owner (pulling contact information from WHOIS…another reason to ensure you always keep this updated correctly) and once complete a second one with my cert.  By the time I was done reading that sentence, the verification email was in my inbox.  Click on a link, cut/paste a code, click submit.  Inbox now contained my cert and instructions.  Installation was a breeze as i just processed the request and pointed the file.  Seriously, the total time was < 8 minutes.  2 emails, one click.  Having been a previous customer I can assure you that the process is the same should I have opted for their 1 year basic SSL at $80.  Just as quick (adding the purchase step in).

In that time I saw a twitter that GoDaddy had a $15 deal promotion.  I figured, what the heck, that price removed any barrier for even my test use of the cert.  So I started their process.  It went something like this:

    1. Buy cert, add to cart
    2. Go through 3 screens of add-on service (clicking ‘no thanks’ each time)
    3. Checking out (fast/simple)
    4. Received email – instructions weren’t too clear on next step
    5. Logged into account
    6. Navigate to certificates…realized i bought a “credit”
    7. Activate “credit”
    8. Go to cert manager
    9. Enter request
    10. Wait for verification
    11. Recieve certs.

It still didn’t take very long, but was noticeably more steps and not clear direction for a lay person I’d have to say.  I received the cert in my email with a link to instructions.  I was warned of this on Twitter that there would be an extra step.  It isn’t that bad, but is an extra step.  GoDaddy needs some intermediate authorities to be on the box before your certificate is trusted.  They ship these with your cert so you don’t have to go digging.  This step does involve opening Management Console, etc.  and then going to finalize the request in the IIS manager.  Overall time for GoDaddy – I’d estimate 15-20 minutes.  Still not bad…and the price is right.

I’ll stick with my GoDaddy cert of course because at the $15 price I got a full year so no reason to change now.  I would have to say that GoDaddy and InstantSSL both offered the easiest and fastest route to request –> operational I could have hoped for in the process.  I imagine by the name ‘RapidSSL’ that they’d be similar.

One Twitter comment was:

instantssl is actually the best quality for the price I've seen.

And having seen their offerings and been through their process, I’d have to agree.  Either way there is a list of folks to look at.  I’d recommend InstantSSL first, then GoDaddy based on my experiences.

Oh yeah, OpenSSL is free…if someone can convince me that I could have set it up in < 10 minutes I would have tried.  It took me longer than that to figure out what I might even have to do!