SSL certificate simply means Secure Socket Layer certificate. SSL certificates are used to safeguard your website from precarious and malicious hackers.
You can encrypt and protect the communication between your website and the visitor’s browser with an SSL certificate.
An SSL certificate effectively prevents spoofing of a domain and other similar threats by certifying the server’s identity and digital signature.
These types of certificates are normally installed on web pages that seek personal information from users, such as payment information or a password, among others.
They also protect data, enhance your Google rankings, and foster trust between you and your visitors.
SSL is no longer an optional security measure and therefore, you must choose an SSL certificate for the website before your website begins to be penalized by browsers.
Buying an SSL certificate can be so challenging since there is a wide range of certificates and a plethora of categories. The big question is how will you know the right SSL certificate for your website.
In this article, we are going to take you through steps on how to choose the right SSL certificate.
Table of Contents
Tips on how to choose an SSL Certificate
Before purchasing an SSL certificate, as a website owner or operator you need to evaluate many questions concerning the appropriate SSL certificate for their website.
There are many options for the purchase of an SSL certificate. Different certificates have distinct characteristics. These characteristics play an important role in selecting the most suited SSL certificate for your website.
An SSL certificate can be classified into three broad categories based on the validation process that precedes the certificate’s issuance.
Validation is dependent on the sort of certificate you wish to purchase and it varies according to the certificate. The SSL certificate you choose can depend on how much trust you wish to offer your customers.
The three types of SSL certificates include organization validation (OV), domain validation (DV), and extended validation (EV).
Now that you have a basic understanding of SSL certificates and their categories let’s get into discussing how to choose the right SSL Certificate.
#1. You Need To Register Your Domain.
You need to register your domain first before you can obtain a publicly trusted SSL Certificate. This is because the organizations that issue certificates (Certificate Authorities) need to verify domain ownership.
If you are looking to secure a public website then registering your domain is an essential step.
If your domain is not registered, then you are talking about an internal server name. An internal server name is a domain or IP address that is part of a private network.
This can be any server name with a non-public domain name suffix for instance mydomain.local, mydomain.internal, Short hostnames, or anything without a public domain is considered an internal server name.
Any IPv4 address in the RFC 1918 range such as 10.0.0.0, 172.16.0.0, 192.168.0.0, and any IPv6 address in the RFC 4193 range is an internal server name.
Since 2015 CAs (Certificate Authorities) were prohibited from issuing publicly trusted SSL Certificates containing internal server names or reserved IPs.
The reason is that these names are not unique and are used internally, so there is no way for a CA to verify that the company owns it.
If you want to secure communications between your internal servers that use internal server names, there are several options. You have to understand that you can’t use a publicly trusted SSL Certificate.
You can use self-signed certificates, or set up an in-house CA such as Microsoft CA and issue certificates from there.
However, running your own CA requires extensive internal expertise and can be quite resource-intensive.
Some CAs also offer certificates designed exactly for this use case. Since these certificates are issued from a non-public root, they don’t need to comply with the same regulations put upon public certificates.
This means they can include internal server names and reserved IP addresses. This way you can easily secure your internal servers without the hassle of running your own CA or doing self-signed certificates.
#2. Trust Level Required
All SSL Certificates offer session security and encrypt any information submitted through the website, though they differ in terms of how much identity information is included in the certificate and how they display in browsers.
There are three main trust levels for SSL Certificates (from highest to lowest)
- Extended Validation (EV)
- Organization Validated (OV)
- Domain Validated (DV).
In this step, you need to ask yourself how much trust you are willing to convey to your visitors. You should also ask yourself how important your brand identity is to your web presence.
Decide on whether you want your brand clearly presented in the browser’s address bar or included in the certificate. Do you want your brand identity to be tied to your domain or not?
Extended Validation (EV) Certificates
Extended Validation Certificates include the most company data and they require a company to meet the highest, most stringent requirements of any type of SSL Certificate before receiving this certificate.
EV also lends the most credibility to your website by bringing your business’s verified identity front and center, displaying your company’s name with a locked padlock.
Organization Validated (OV) Certificates
Organization Validated Certificates are the second best after EV. OV includes business authentication, meaning information about your company is included, although this information is not as prominently displayed as in EV Certificates.
For visitors to see your company’s identity information, they need to view the certificate details.
Domain Validated (DV) Certificates
Domain Validated Certificates are the most basic type of SSL Certificate, they include the least amount of identity information in the certificate and prove that only the website owner could demonstrate administrative control over the domain.
Although DV Certificates offer session encryption, they don’t include any company information.
This means there’s nothing included in a DV SSL Certificate issued to www.companyname.com to verify that the company actually runs it.
Therefore we wouldn’t recommend DV Certificates for business use.
Given the rise of imposter and phishing websites, we recommend website operators use SSL Certificates that include company identity information like EV or OV so that site visitors can view the identity of the domain owner.
#3. Number of Domains You Need to Protect with this Certificate.
The number of domains you want to protect plays an important role in choosing the right SSL Certificate. Buying a single certificate is easy if you want to secure a single domain.
However, most of the time, website owners want to secure more than one domain. These domains can be divided into two categories:
- Fully-qualified Domains
- Sub-Domains
Single-Domain Certificates
A single-domain certificate allows you to secure one Fully-Qualified Domain Name (FQDN) on a single certificate.
For instance, a certificate purchased for www.companyname.com allows you to protect all pages under www.companyname.com.
Single-domain certificates are the best for businesses managing a small number of websites.
Wildcard SSL Certificate
Wildcard SSL Certificates allow you to safeguard all the sub-domains under an FQDN along with the main domain using a single SSL Certificate.
You can safeguard domains such as the following by employing Wildcard SSL:
- Domain.com (main domain)
- Mail.domain.com
- Login.domain.com
- ftp.domain.com
The Wildcard SSL certificates save you from the troubles of buying and installing an individual certificate for each of your domains. You don’t have to go through the entire validation process to purchase an SSL certificate.
You get to save a lot of money as you don,t have to pay for each SSL Certificate.
The Wildcard certificates come with two domain validations (domain validation and organization validation).
Multi-domain/SAN SSL Certificate
Multi-domain certificates are commonly called Subject Alternative Name (SAN) certificates or Unified Communications Certificates (UCC).
These certificates allow website owners to secure several distinct domains with only one certificate. For instance, a single SAN/UCC certificate can be used to secure both www.companyname.com and www.companyname.co.ke.
SAN/UCC certificates do not provide the same function as wildcard certificates, although SAN/UCC certificates can include both wildcard domains that are not sub-domains of the same FQDN.
A single SAN/UCC certificate can support many different domains. Customers can add or remove domains at any time, which can help simplify the management of your security infrastructure.
The administrators need only monitor a single certificate with a unified expiring date for all domains instead of having several single-domain certificates.
In addition, SAN/UCC certificates are the best for Microsoft® Exchange and Office Communications environments, because they can use their alternative domains to support the Exchange Autodiscover service, which can make client administration easier.
SAN/UCC certificates are also sometimes known as “Exchange certificates” due to this reason.
#4. Warranty Amount
The amount of warranty provided with the SSL certificates differs from one certificate to another. The higher the level of validation, the higher the warranty amount required.
In case of any fraudulent accident with your customers, the certificate authority offers money as the payback. However, this should never occur and it rarely does but it is always good to stay a step ahead.
The higher the warranty amount, the better it is for you as a website owner.
#5. The reputation of a Certificate Authority (CA)
The reputation of a CA is a very important factor to consider when choosing the right SSL Certificate for your website. The market share of the CA is a major indication of its reputation.
Any CA entrusted by millions of users worldwide does everything possible to avoid failure. Such CAs keep researching and developing new techniques to stay ahead of cyber attackers.
Some certificate authorities have been banned by web browsers before. This means that a particular browser stopped supporting the SSL certificates provided by that CA.
#6. Issuance Time
The validation procedure is different for EV, OV, and DV levels. The OV SSL takes 2-3 days to get issued while the EV SSL takes around 2-4 days as it requires a considerable amount of scrutiny.
If the CA you have chosen has any uncertainties, they might ask for more evidence from your side which may make the issuance process a bit longer.
#7. Customer Support
It is always good to have an expert to guide you along the way in case you come across any troubles. Having access to customer support can save you time and trouble.
Go for an SSL provider who will offer you 24/7 customer support. Customer support might be in the form of chat, email, and calls among others.
Conclusion
Choosing the right SSL can be an overwhelming task if you don’t have much idea about it.
To make it simple you need to know the following: your purpose behind installing an SSL certificate, the validation level you need based on your purpose, number of primary domains and sub-domains you want to secure.
Server certificates are a powerful tool to secure your website and choosing the right certificate to suit your needs can greatly minimize the cost and effort needed to administer your security infrastructure.
We hope this article helps you better understand the difference in their features and choose the SSL Certificate that suits your website. Kindly help us reach more people by sharing this article.
Related: