Need a free SSL or mail certificate?

by Volker Weber

If you need a free Class 1 SSL or mail certificate, StartSSL is the way to go now. Thawte is closing down their freemail certificates, and Microsoft has just published a root certificate update which includes StartSSL root certificates. Other browsers and mail clients have had them for a while. So does Mac OS X:


If your visitors or mail receivers have the valid root cert, they will not be prompted to verify your certificate, a problem you often face with CAcert certificates.

More > (in german)


Huh? Thawte is closing their freemail certificates? Where did you get that information? I could not find any limitation on their homepage.

Ulf Jaehrig, 2009-09-26


Florian Steinel, 2009-09-26

Was there a notification to the notaries? I don't remember any.

Christoph Rummel, 2009-09-26

I have a freemail certificate and I got an expiry notice, but I just thought I had to renew it (not done it yet)...
Expiry Date : 11/18/2009
Dear Alex Boschmans,
Your current thawte Personal E-mail Certificate/s are due to expire soon, details thereof as above.

If you would like to continue to use a thawte Personal E-mail Certificate, please request a new one, using your thawte ID and password to access your Personal E-mail Certification Account by logging in here.

thawte offers the following products in our SSL certificate range:

Alex Boschmans, 2009-09-27

Christopher: I am a Thawte Notary and got a notification of the shut-down on Thursday. Verisign are "giving away" a one year mail certificate to notaries, presumably in the hope that after a year we will forget the betrayal and start paying them money for nothing.

Alex: That's just the usual notice. Don't bother renewing; they are revoking the root authority in November.

Simon Phipps, 2009-09-27

Thanks, Simon, I am a notary too, just as vowe is, but I didn't get any notification. Maybe they aren't done sending them out yet.

Christoph Rummel, 2009-09-27

I'm also a Thawte Notary and also got no notofication, anyway.

Sad, that you here only get Class 1 free and Class 2 (or Class 3) costs (even if they only cost 29,- anual fee) and even to become a StartSSL Notary you have to pay for the Class 2 Certificate. Understandable, but not necessary.

Henrik Heigl, 2009-09-28

I'm also a Thawte notary and got no notification.

Anyhoo, I decided to try one of these StartSSL free certs on a Domino server - just to see if it works.

Skipped the first step in the process (generate private key) as Domino creates its own keyring and generates a certificate signing request.

Pasted the Domino CSR into the StartSSL Submit Certificate Request form and got this response:

MD5 Signature Algorithm Detected

* Your certificate request was created with a potentially weak signature algorithm.
* For more information please see this FAQ item.
* Please change the signature algorithm to SHA1 or better, create a new CSR and try it again!

This is on a Domino 8.0.1 server.

Anyone know if 8.5 or 8.5.1 implements a more secure signature algorithm for SSL?

Chris Linfoot, 2009-09-30

Almost 2 weeks later I just got mail from Thawte about the discontinuation. They seem to be really slow with sending out their mails.

Christoph Rummel, 2009-10-08

I am a Thawte Freemail user and a StartSSL notary. For Class 2, you don't *have* to pay if you are approved by an existing notary. Class 1 is still normal Freebies just like thawte. The only time that StartSSL asks that you pay for Class 2 is if you're wanting it *now* for professional reasons or if you want to be a Notary in a place where notaries aren't convenient.

So there are free options should you pursue it...

Don Fanning, 2009-10-12

And today I finally have my notification from Thawte. Slow is right.

Chris Linfoot, 2009-10-14

Me too. Strange. Can’t say I’ll miss the Notary process though; I got quite a lot of stick from strangers wanting me to travel all over the place for them.

Ben Poole, 2009-10-14

Old archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe