How to Choose the Right SSL Certificate

How to
Alyona Petrukhina
745
November 1, 2017
3Like
1Comments
Share
How to Choose the Right SSL Certificate

When migrating to HTTPS, you have to choose and purchase appropriate SSL certificate. Hosting providers offer a large number of certificates, ranging from $10 to $1,000 per year. At first glance it is unclear how they differ and which one is right for your website. We gathered for you useful tips on what factors to consider when choosing SSL certificate.

1. What Is SSL and Why Use It?

SSL (Secure Socket Layer) is a standard internet security technology that is used to provide an encrypted connection between a web server (website) and a browser. SSL certificates allow us to use HTTPS protocol. This is a secure connection that ensures that the information transmitted from your browser to the server remains private. That is, data are protected from hackers or anyone who wants to take advantage of private information. One of the most common examples of using SSL is client protection during online transaction (goods purchase, payments, etc.).

Google considers security one of the most significant aspects of its policy, so websites with HTTPS (using SSL certificates) have been ranked higher than websites without it. Moreover, if you are still on HTTP, users will eventually receive the insecure connection warning.

Makes you wonder, doesn't it? So let’s dig further.

2. Types of SSL Сertificates

First of all, you should define what level of security you need. Based on it you can choose what type of certificate suits you more.

2.1. Domain Validated SSL Certificates

These are the simplest ones and they satisfy the demand of getting a certificate urgently (as they are issued instantly).

Before getting this type of certificate, you will receive a letter from CA (Certificate authority — an organization with the right to issue SSL certificates) with a special link. All you need is to click on this link and confirm the issue of the certificate.

Important point is that this letter can be sent only to the so-called approver email, which you specify when ordering a certificate. And the domain of the approver email must be either the same as the domain for which you order the certificate or specified in this domain’s WHOIS record.

SSL certificates with domain validation are issued when the certification authority has verified that the applicant has rights to the specified domain name. Information about the organization is not verified and is not displayed in the certificate.

2.2. Organization Validated Certificates

This type of certificate already contains the name of the organization and individuals cannot receive it. The issuance period varies from 3 to 10 days. The CA checks whether this organization really exists and whether the domain belongs to it.

2.3. Extended Validation Certificates

These are the most expensive certificates and the hardest to get. Not only the domain is checked, but also all information about the organization: legal, physical and operational activities of the entity, official documents proving that the company has the exclusive right to use the domain. The green bar in the browser with the name of the organization indicates that the organization has undergone an extensive check.

Green bar of the extended validation certificate

3. Different Types of Domains

SSL certificates differ in securing certain types of domains, as well as in advanced capabilities. What features should you consider when buying a certificate?

3.1. Single-name SSL Certificates

Such certificates protect a single domain. It means that if you purchased a certificate for www.justiceleague.com, it wouldn’t secure flash.justiceleague.com. But also it can secure the root domain justiceleague.com.

3.2. Multi-Domain Certificates

These ones are used for several different domains hosted on the same server.Some projects are divided between several websites, for example, each one for a specific country or brand. Or maybe you just want to buy one certificate for all of your projects. In this case, you need to look for multi-domain versions. They are marked as SAN (Subject Alternative Names) or Multi-Domain certificates.

3.3. Wildcard Certificates

If you also need to provide encryption on all subdomains of the same domain besides the primary one, this is the type you need. For example, there is a justiceleague.com domain, and you need to install the same certificate on support.justiceleague.com, forum.justiceleague.com, etc.

If you have less than 9 subdomains, it's cheaper to buy regular certificate, although wildcard one will be more convenient to use. Free certificate versions do not support wildcard though.

3.4. Self-signed SSL Certificates

You can generate them yourself in any number (for example, in the ISP panel). But bear in mind that browsers mark websites with such certificates as insecure and search engines do not index websites with them. So it’s better to use them for personal purposes only (for example, on test domains when developing a project).

Browser warning of incorrect SSL certificate

4. Choosing SSL Vendors

4.1. Market Share Trends For SSL Certificate Authorities

Certificate authority checks the data contained in the certificate signing request before issuing one. In the simplest types only the domain name is checked, in the most expensive ones a huge number of verifications is carried out. Here is the percentage of websites using various SSL certificate authorities, according to W3Techs survey:

Market share of certificate authorities

As you can see, the largest players on SSL certificate market are Comodo, Iden Trust and Symantec, which owns three of the largest certification centers — Thawte, Verisign and Geotrust.

4.2. Differences between Certification Authorities

Price

Obviously.

Which browsers root certificate is installed in

After all, visitor will still receive an error when entering the website, if the browser doesn’t have the root certificate of a certain CA. As for the centers above, their root certificates are installed in, perhaps, 99.99% of all existing browsers. You can check which CA’s root certificates are installed in your browser in its settings. For example, in Google Chrome: Settings → Show Advanced Settings → Certificate Management → Trusted Root Certification Authorities.

The speed of release

The fastest are certificates with domain validation only. The most time-consuming ones are EV certificates: it takes at least a week to receive them.

Warranty

Some certificates come with $10,000 insurance. But this warranty is not for the buyer of the certificate, but for the visitor of the website where the certificate is installed. In case when a visitor suffers from fraud and loses money, certification authority agrees to compensate him the amount specified in the warranty.

Free trial period

Such CAs as Symantec Secure Site, GeoTrust RapidSSL, Comodo Positive SSL and Thawte SSL Web Server do provide it. You can also use free certificates for tests: StartSSL™ Free or Let’s Encrypt (only if you need domain validation and nothing more).

Refunds

Almost all certificates grant them within 30 days. Although there are also certificates without a money-back period.

5. Common Mistakes With SSL Implementation

Here I gathered the most frequent issues with SSL implementation.

  • First of all, make sure that all your content is loaded from secure source. If your page contains both secure and insecure items (HTTP and HTTPS content), your SSL certificate will become invalid. You can use WhyNoPadLock.com to identify such content.
  • Pay attention to the validity period of SSL certificates. They are usually issued for at least a year, but, for example, Let’s Encrypt works only for 90 days. You can verify this information using SSL Checker.
  • Also, check out if there are any internal links leading to HTTP pages of your HTTPS website. You can spot such URLs using Netpeak Spider and set 301 redirect to their HTTPS version.

Checking redirects to HTTPS by Netpeak Spider

  • And finally, make sure that your Sitemap.xml for HTTPS site doesn’t include HTTP URL. It can mislead search engines and result in incomplete crawling of your website. You can check it using XML Sitemap crawling in Netpeak Spider. 

In a Nutshell

If you have the simplest website, you can use free certificates, e.g. StartSSL or Let’s Encrypt (cannot be used for commercial websites). In other cases, look for appropriate versions.

Consider the following aspects when choosing the certificate:

  • Domain validated certificates are for personal use. They are issued almost instantly.
  • Organization validated certificates are for businesses and companies. They are issued within a few hours and up to a few days.
  • Extended validation certificates are used for e-commerce business purposes. They are issued within a few days and up to a few weeks.
  • Single-name SSL certificates are meant for a single domain.
  • Multi-domain certificates — for several different domains hosted on the same server.
  • Wildcard certificates are used to provide encryption on all subdomains of the same domain, besides the primary one.

Take into account requirements of your website, see what certificates your competitors and colleagues are using and ask any questions you may have below :)