We launched CertSimple on 16th of March with a post to Hacker News. While we didn't have every feature we wanted in the product yet, we still had a substantial improvement over the existing SSL market:
So with those features we launched.
We started making money on the first day, we made $4078.08 USD in the last six weeks.
The industry's normal estimate for an EV certificate is 7-10 days, and our founder Mike started the company after waiting 3 weeks for an EV cert from GoDaddy. We thought CertSimple would be faster than existing SSL providers before we launched, but we didn't have any numbers to prove it.
Since we've launched we've been able to put a number on that: we issue EV certificates in an average of 5 hours. In some cases much faster.
This means we're likely the fastest place you can get an EV certificate.
This is nice, but more importantly launching and collecting this data allowed us to put a real number against the speed and simplicity claims, for people who need to launch their web apps now and don't want to wait to do so.
We focused on web developers because they're usually the ones charged with getting SSL certificates - they're also the ones who have to tell someone else that there's a 10 day delay until their EV certificate gets verified. So far, that's been true: every single customer we've had is a someone making a web app of some kind.
We hoped our happy customers would Tweet about us, and some did: we've had a some great Twitter testimonials. However, we've also been reminded that the the vast majority of developers aren't the Tweeting, conference going type. We've had robotics academics in California who are too busy working to follow important events and customers in non-English speaking markets.
The most effective marketing we've been doing is actually making useful stuff. We've published 9 blog articles, frequently also publishing code, on topics randing from SSL configuration, cleaning out all the junk you see in whois results, measuring RSA performance, using Mozilla's Server Side TLS settings on NPM, command comparison across server Operating Systems, and a bunch of other topics.
Asides from being useful, we hope these articles establish that CertSimple actually cares about the same things as our customers: developing and deploying web apps. We can and do talk technically with customers as peers. Most SSL vendors have 'SSL experts' who don't know what a certificate subject is. You can't measure it easily, but we think being involved in the same industry as our customers makes us more appealing.
Customers have even suggested article topics they'd like us to cover in future - we're planning to do follow a few of those suggestions.
One thing with the SSL industry is that not everyone needs a certificate now. We've been as helpful as possible to people who probably won't be customers in the immediate future: frequently providing some advice about cipher config, or domain registration. We haven't and won't see revenue from these people in the short term. But we have gotten:
seriously, this has been the best thing since sliced bread, the wheel and fire.
Which, asides from being good to hear, is a fairly good indication when the time comes they'll pick the SSL vendor they've actually had a conversation with rather than the one they haven't.
Interestingly, we've attracted attention from developers who don't have a web interface to their apps - eg, they're a REST API with iOS and Android clients. In that case, we've pointed out that EV isn't relevant for them. Identity checks for iOS and Android apps are done via code signing in their respective app stores. Futhermore, and if there's no browser UI, there's no green bar. We've happily directed their business towards free or cheap non-EV certificates that will suffice in these occasions.
We also decided to run a Google Adwords campaign. We ran what we thought was tight copy: our founder Mike has written professionally in a past lifetime. We ran a campaign for around a month and followed every suggestion Adwords gave except the massive amounts of unrelated keywords. In the month we ran the campaign, not a single sale was from AdWords.
In all, we would have been better taking the time and money we spent on AdWords and doing something useful for potential customers.
Customers don't always use things the same way you do. We'd thought that most developers using Windows desktops would also be using Windows servers - we'd add the ability to switch later. Almost immediately after launch someone asked us to show instructions for Linux/Unix servers on their Windows browser.
Another customer pasted a huge pre-seperated list of server names straight from a spreadsheet, which broke the tags widget we were using. We added support for doing that the same day.
There's been one negative thing that's happened: at one point our bank decided to flag the large volume of payments from our account to our CA as fraud. This stopped us from processing orders. It took a while to resolve the issue, and though it was eventually fixed, and workarounds added for the future, we had to refund a customer whose order was unable to be processed during the period. In an otherwise happy month this felt awful: we hate for even one customer to be disappointed. If you run a startup involving online payments, you should be aware of this risk and take steps to avoid the same thing happening to you.
However, looking back: we're glad we launched early and identified these issues before we grew any larger.
We've also made a couple of changes since launching:
We launched live checking of qualified government information sources - one of the main requirements for Extended Validation - in 42/50 US states and an additional 60 countries. You can now just start typing the name of your company and it will autocomplete from your country or state.
We've upped our donations - from 10% of profit to 5% of revenue. Since our CA takes a large chunk of our revenue, the change has more than doubles the amount going to Open Source projects. Our last payment was to The OpenBSD Foundation, for $203.90, #23501861KT816931U.
More useful research for people making web apps! We're going to look at ECC performance and certificate deployment options soon.
For the company: we're building relationships with a few key folk in the industry.
We'd like to get funding to grow CertSimple. Helping companies prove their identity online in a non-awful way is a great business that helps everyone involved. EV certificates shouldn't be reserved for big technology companies but rather anyone who wants to prove their identity online.
If you're interested in making that happen - or have any other thoughts - email our founder on firstname.lastname@example.org. Thanks!
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!