ipSCA offers free 2 year certificates for edu’s. But, back in 2009, their root CA expired, and since then, many browsers don’t trust their certificates. And while this isn’t a huge issue for the well informed IT crowd, it does pose a problem for the average user. Especially with browsers like Firefox that present certificate trust errors like the world is coming to an end.
This largely started when work was rolling out a product called Webcheckout as a solution to a years long issue we’ve had, and almost every other educational institution has, of equipment reservation and checkout. Since we’ve been doing this, it’s been paper based, and the gatekeepers of equipment are student employees. Neither of these things scale well, as we saw last year when we first started seeing students erasing each other’s reservations for equipment ((In fairness, last year was really the first real year of our new curriculum, which puts a much higher load on our equipment. Previously only a small subset of students used equipment (maybe 150-200). Since the change, that number is about 500-600 students)). So, with this software, students login and reserve equipment based on type (“I want a video camera, and tripod”, rather than “I want video camera 2, and tripod 5”).
Anyway, since they’re logging in using their school credentials, I obviously wanted to move the system over to an SSL connection. Knowing that ipSCA offered free 2 year SSL cert to EDU’s, I went and got one, and installed it on the webserver hosting Webcheckout. And what do I find, but very few browsers (basically, only those on Windows that pay attention to the Microsoft Root CA list) trust the ipSCA certificate. So, I went about poaching info from here (with permission) to detail to students/staff/faculty at home (since I could push out the CA to all the building computers) how to add, and trust, the ipSCA root CA. And while the document turned out pretty well, it didn’t really fly with my boss. He took one look at the hoops, and said “how much is it to pay for a real certificate?”, at which point we bought one from GlobalSign (who the campus almost exclusively deals with).
So, the long and the short of it is… you get what you pay for.