Choose the Right SSL Certificate

HTTPS is the de facto security protocol for web communications. In fact, most modern browsers strongly urge web site owners to use HTTPS, which requires web servers to present a valid SSL certificate, instead of its insecure alternative HTTP. This means that if you own a legacy web site that uses HTTP, chances are that you eventually will have to move to HTTPS and acquire an SSL certificate.

However, when it is time to purchase a certificate you can be confronted with various certificate types, each featuring numerous technical features. Here at SSL.com we understand that selecting the appropriate certificate can be confusing, and for that reason we have created this article as a guide to the possible certificate types and how to evaluate if they suit your needs.

Certificate Taxonomy

Regardless of their type, all certificates have to perform one essential function: bind a public key to a specific identity of a person, company or organization.

Having said that, certificate authorities (CA) such as SSL.com can issue certificates for widely diverse purposes, ranging from securing small web sites to protecting large-scale public sector services or e-commerce web sites. Each case may impose different requirements in certificate policy or functionality, which is the reason that several certificate types exist.

More specifically, there are two characteristics that differentiate SSL certificates. These are:

  1. The level of validation a CA performs on the prospective certificate owner’s information, and
  2. the number and type of domain names (e.g. example.com, mail.example.com, *.example.com, etc.) that a certificate supports.

Validation Level

CAs are responsible for verifying the identity of all prospective certificate purchasers, before they issue a certificate. Depending on the certificate type, however, these validation checks can range from simple automatic tests to prove domain control (for Domain Validated certificates) to thorough manual examination of evidence, confirmation through third-party databases and more (for Extended Validation certificates).

The higher a certificate’s validation level is, the more trust can be placed in that certificate. Users can more readily trust a web site that features an Extended Validation certificate with high-risk exchanges (such as payments or sharing private information), because a trusted CA has verified the owner’s identity.

Since it is important for security, browsers acknowledge the validation level of a certificate by showing special graphics in the address bar called security indicators. (The lock icon before the address of this website is an example of a security indicator.) Different indicators denote different levels of validation, and web site owners may use a highly validated certificate to reassure visitors they are a legitimate business.

The following sections describe the possible validation levels in ascending order. (Note that each level includes all validation of the lower levels, too – for instance, an Extended Validation server certificate has also undergone successful Domain Validation.)

Domain Validation (DV)

Domain Validated (DV) certificates are issued after a successful (and usually automated) challenge-response test. In one method, the CA randomly generates a unique token and requires the certificate purchaser to place it in predetermined locations inside their web server. The CA then performs a series of automatic checks to verify that the token is actually present in the server, which proves that the purchaser indeed has control of the server and its domain. If domain control is confirmed, the CA will proceed to issue a DV certificate.

Purchasing and installing a DV certificate is the simplest and quickest (and most affordable) method to protect your server. Most major browsers show a simple lock icon as a security indicator when visiting a site protected by a DV certificate.

Although DV certificates are perfectly fine for a low-traffic web site, they should typically not be trusted for high-risk transactions. If hackers compromise an HTTPS server and have the ability to alter its content, they can effectively pass the DV checks and trick a CA into issuing a valid SSL certificate for a third-party server. Naturally, reputable CAs take various counter-measures to minimize this risk, which is one of the reasons to only work with CAs you can trust.

If you are interested in purchasing a DV certificate, you can find more information about SSL.com’s Basic SSL certificates here.

Organization Validation (OV)

To issue an Organization Validated (OV) certifcate, the CA confirms control of a domain (as with DV certificates), then adds manual vetting of the prospective customer’s organization information through established and audited vetting processes. Typically, the CA will require verifiable supporting documents or direct contact with the organization’s personnel. An issued OV certificate contains verified organization information, which means it can provide a significantly higher level of assurance to end users than a DV certificate.

Medium-sized organizations that do not handle personal or private user information can benefit from using an OV certificate. Due to the more thorough vetting process, note that an OV certificate might take longer to issue compared to a DV certificate, and the involvement of human operators in the vetting process means that an OV certificate is also typically more expensive than a comparable DV certificate.

If you are interested, you can read more here about SSL.com’s High-Assurance SSL certificates.

Extended Validation (EV)

Extended Validation (EV) certificates provide the highest levels of security and trust, as a Cs will only issue an EV certificate when the ownership of the server and the legitimacy of its owner is proven beyond doubt. Extended validation includes both domain and organization validation, along with rigorous background checks (and cross-checks) on the purchaser’s organization by multiple human investigators.

These checks include verifying the legal, physical and operational existence of the organization, finding matching records in official government databases, confirming that the actual organization authorized the purchase of the EV certificate though callbacks and other intensive methods.

Because of this extra level of validation, browsers may show a special security indicator to users that clearly communicates the trustworthiness of a web site protected by an EV certificate. In most major browsers, the address bar will turn green and display the verified name of the organization.

This is why EV certificates are used by all major e-commerce web sites and banks and are highly recommended for businesses that wish to build customer trust in their site. The complex checks required means that it can take more time to acquire an EV certificate compared to those using lower levels of validation, and also means that EV certificates can cost more than DV or OV solutions.

You can find more information on SSL.com’s EV certificates on this page.

Domain Support

Apart from the validation level, certificates can be categorized based on their support for different (or multiple) domains.

Server certificates will include one or more valid domain names and a browser always verifies that the certificate was been issued for the HTTPS server it is visiting.

Based on each purchaser’s needs, a certificate may contain one or more domains (e.g. example.com) or sub-domains (e.g. info.example.com). Domain support is not contingent on the level of validation, and most of the following certificate types are available in DV, OV or EV variants.

Single-Domain Certificates

A single-domain certificate allows customers to secure one Fully-Qualified Domain Name (FQDN) on a single certificate. For example, a certificate purchased for www.example.com allows customers to protect all pages under www.example.com/, such as www.example.com/register or www.example.com/certificates.

Single-domain certificates are ideal for businesses managing a small number of websites, but if your company anticipates the use of more domains or requires additional flexibility, convenience, or savings, you may be interested in wildcard or multi-domain certificates.

You can find SSL.com’s single-domain certificates here and here.

Wildcard Certificates

Wildcard certificates allow customers to secure all the sub-domains under a FQDN. For example, a single wildcard certificate for example.com can protect example.com and any sub-domains (such as www.example.com, info.example.com or mail.example.com) This can greatly simplify management of your security across multiple servers and sites (since one wildcard certificate can be used instead of multiple single-domain certificates) but note that wildcard certificates are DV or OV only.

If you are interested in purchasing a wild-card certificate, you can find more information in this page.

(If your company manages three domains or less, you might benefit from one of our Premium SSL certificates. rather than a wildcard certificate.)

Multi-domain Certificates (a.k.a. SAN or UCC)

Multi-domain certificates can be found offered under different names, but are most commonly called Subject Alternative Name (SAN) certificates or Unified Communications Certificates (UCC).

SAN/UCC certificates allow web site owners to secure several distinct domains with only one certificate. For example, a single SAN/UCC certificate can be used to secure both www.example.com and www.example.co.uk. Please note that SAN/UCC certificates do not provide the same function as wildcard certificates, although SAN/UCC certificates can include both wildcard domains and domains that are not sub-domains of the same FQDN.

A single SAN/UCC certificate can support several thousand different domains. Customers can add or remove domains at any time, which can help simplify management of your security infrastructure. Administrators need only monitor a single certificate with a unified expiration date for all domains, instead of multiple single-domain certificates.

In addition, SAN/UCC certificates are ideal for Microsoft® Exchange and Office Communications environments, because they can use their alternative domains to support the Exchange Autodiscover service, which can make client adminstration significantly easier. (SAN/UCC certificates are also sometimes known as “Exchange certificates” for this reason.)

You can find more information about our SAN/UCC certificates here. For enterprise customers, SSL.com also provides our Enterprise EV SAN/UCC certificates.

If your company only manages three or less domain names (which may or may not be related sub-domains) you might consider a Premium SSL certificate.

Conclusion

Server certificates are a powerful tool to secure your site’s data and reputation, and selecting the correct certificate to suit your needs can greatly minimize the cost and effort needed to administer your security infrastructure. We hope this article helps you better understand the variation in their features, issuance time and pricing, but we are always happy to help you find the solution that works for you. Feel free to contact us at support@ssl.com for via live chat for more information or recommendations.

And as always, thanks for choosing SSL.com, where we believe a safer Internet is a better Internet.