A Quick Lesson on the Types of SSL Certificate & Their Characteristics
What is SSL? It’s a question that a lot of website owners are being forced to ask as Google and the rest of the browser community begin to mandate encryption in 2017.
If you haven’t been paying attention, here’s a quick summary of what’s about to happen. The browser community, led by Google and Mozilla, is uniquely positioned to dictate its terms to the rest of the internet. Unless you’re extremely tech-savvy, you need a browser to surf the internet—that’s true for pretty much everyone. You couldn’t visit a website without a browser and websites are entirely dependent upon those browsers to allow visitors to access them.
The browsers are acutely aware of this fact too, and they leverage their position to affect the changes that they want to see across the internet. The browsers’ latest initiative is for universal encryption. They want every website to be served over HTTPS.
So how does SSL fit into all that? Well, you need to install an SSL certificate on your web server and configure your website for HTTPS in order to start making encrypted connections with your visitors. Encryption is facilitated with the SSL protocol. So, long story short: SSL is now required, lest your website be labeled “Not Secure” by the browsers.
So, let’s talk about SSL Certificates.
Let’s start with something basic: all SSL certificates offer the same industry-standard level of encryption. A free SSL certificate and a $3,000 SSL certificate both provide the same level of connection security.
So why the heck would you pay three grand for one?
Well that’s because SSL performs two functions. The first, better known function is encryption. It secures connections via encryption. The second, lesser heralded function is authentication. SSL can provide definitive proof of identity, which is something that is becoming increasingly important as phishing and cybercrime are becoming more rampant than ever.
There are three different validation levels, each has its own strengths and weaknesses.
- Domain Validation (DV) – The vast majority of SSL certificates are Domain Validation. That’s because it’s the easiest type to get. All you need to do to get a DV certificate is prove ownership over a domain. DV can be issued within minutes. It’s a great choice for small personal websites and blogs that just need simple encryption, but businesses should invest in business authentication—not DV.
- Organization Validation (OV) – OV SSL was the original type of SSL certificate. DV was created to expand access to encryption and EV was created to offer a greater degree of authentication. But OV was the original. Organization Validation requires a company or organization to undergo light business vetting, in return verified business details are included on the certificate and can be viewed by anyone who knows how to find them. The problem with OV is that its displays the same visual indicators as DV and most users don’t know how to find the verified business details.
- Extended Validation (EV) – Extended Validation offers the highest level of authentication, a company or organization must undergo extensive vetting (don’t worry, this isn’t as intensive as it sounds if your business has up to date registration information on hand), but in exchange EV SSL grants a unique visual indicator: the green address bar. This offers unimpugnable proof of identity by placing your business’ verified name and country of origin in green font next to the URL in the address bar. The only drawback to EV SSL is the price, but research shows that EV boosts traffic and conversions and eventually pays for itself—so it’s really more of an investment.
Now that we’ve covered the validation levels, let’s get into specific types of SSL certificate.
One of the most common issues that companies and organizations run into with SSL is the cost and administrative burden of purchasing SSL certificates to cover all their different domains. Fortunately, in addition to single domain SSL certificates, there exist a range of options to help encrypt multiples sites, sub-domains, etc.
We’ll start with Multi-Domain/SAN certificates. As the name implies these certificates are capable of encrypting multiple domains at once. The maximum number of domains that you can encrypt on a single certificate varies by Certificate Authority (CA), it’s 25 for Thawte, 100 for GeoTrust and Symantec and 250 for Comodo.
Here’s how it works, when you purchase an SSL certificate you are required to generate a Certificate Signing Request (CSR) that contains all the information needed to create the SSL certificate. Typically, you would list the name of the domain you want to encrypt in the Fully Qualified Domain Name (FQDN) field. And that’s true with Multi-Domain SSL too, but in this case, you’ll also include the full domain name of every additional domain you want to cover in the Subject Alternative Name (SAN) fields. When the CA issues the certificate, it can be installed on all of the listed domains.
Most Multi-Domain SSL certificates come bundled with 2-4 SANs, additional SANs must be purchased as needed.
So, you can encrypt multiple domains with a single SSL certificate, but what about sub-domains? What if you only own a single domain, do you really need to buy SANs to encrypt a bunch of sub-domains? No! There’s a specialized type of SSL certificate for sub-domains.
It’s called a Wildcard.
Wildcard SSL is an incredibly versatile certificate type, it can encrypt an unlimited number of sub-domains on a single certificate. Seriously, as many as you have. And you don’t pay per the sub-domain like you would with Multi-Domain, you just buy a single Wildcard and it covers everything. Best of all, you can even add sub-domains after you purchase the Wildcard and as long as you re-issue the certificate it will protect the new sub-domains too.
Here’s how it works, during the CSR generation process you use an asterisk in place of the sub-domain level you’re looking to encrypt (i.e. *.domain.com). Once the Wildcard is issued all the sub-domains at that level will be encrypted.
A couple things to keep in mind, you WILL need multiple Wildcards if you want to encrypt sub-domains at different domain levels. Also, Wildcard SSL is not available in EV, so if you want a business authenticated Wildcard solution you’ll have to settle for OV.
Multi-Domain Wildcard SSL
And finally, we have the Multi-Domain Wildcard SSL certificate. As the name suggests, this is a jack-of-all-trades certificate type that functions as both a Wildcard and a Multi-Domain certificate.
The way it works is with the use of the Wildcard SAN. Rather than functioning like a traditional SAN field, you also have the option to enter a domain with an asterisk in place of the sub-domain level you want to encrypt. Multi-Domain Wildcards can encrypt up to 25, 100 or even 250 domains and an unlimited number of sub-domains at the same time.
And there you have it, that’s a quick run-down on the different types of SSL certificate. SSL is an extremely important product, not just for securing your website but also for building trust with your customers.
Hopefully this guide helps you decide what kind of SSL certificate is best for you.