What do you consider low volume, low transaction?
If you have a low volume website and you decide that your customer's confidence
is not affected at all by the brand behind the SSL certificate or the volume of
customers that would have an issue are insignificant in number then RapidSSL is
the perfect answer.
It is all about customer confidence. Whilst RapidSSL technology is production grade,
only you can really determine whether your customers confidence will improve significantly
if you purchase an established brand like GeoTrust.
As a guide, typical customer transaction value is sub 50 USD, and volumes of transactions
are less than 50 per week.
Note: The 50 per week example figure is simply a commercial guide and not a technical
restriction. Technically the RapidSSL certificate will not be restricted from conducting
more transactions than 50 - they are still industry standard 128 / 256 bit SSL certificates.
However it is our opinion that sites conducting more than 50 transactions will require
a Professional Level SSL certificate due to the increased likelihood that the website's
customers will expect SSL from a highly credible and established SSL provider and
well known internationally accepted SSL brand.
What is a Single Root SSL Certificate?
When connecting to a webserver over SSL, the visitor's browser decides whether or
not to trust the website's SSL certificate based on which Certification Authority
has issued the actual SSL certificate. To determine this, the browser looks at its
list of trusted issuing authorities - represented by a collection of Trusted Root
CA certificates added into the browser by the browser vendor (such as Microsoft
Most SSL certificates are issued by CAs who own and use their own Trusted Root CA
certificates, such as those issued by GeoTrust and RapidSSL.com. As GeoTrust and
RapidSSL.com is known to browser vendors as a trusted issuing authority, its Trusted
Root CA certificate has already been added to all popular browsers, and hence is
already trusted. These SSL certificates are known as "single root" SSL certificates.
RapidSSL.com, a subsidiary of GeoTrust, owns the Equifax root used to issue its
Some Certification Authorities do not have a Trusted Root CA certificate present
in browsers, or do not use the root they do own, and use a "chained root" in order
for their SSL certificates to be trusted - essentially a CA with a Trusted Root
CA certificate issues a "chained" certificate which "inherits" the browser recognition
of the Trusted Root CA. These SSL certificates are known as "chained root" SSL certificates.
Installation of chained root certificates are more complex and some web servers
and applications are not compatible with chained root certificates.
For a Certification Authority to have and use its own Trusted Root CA certificate
already present in browsers is a clear sign that they are long-time, stable and
credible organizations who have long term relationships with the browser vendors
(such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates.
For this reason, such CAs are seen as being considerably more credible and stable
than chained root certificate providers who do not have a direct relationship with
the browser vendors, or do not use their own root certificates to issue SSL certificates.
You can view the Certification Authorities who have and use their own root certificates
by viewing the list in your browser.
Chained root certificates require additional effort to install as the webserver
must also have the chained root installed. This is not necessary for single root
What is browser ubiquity or browser recognition?
Browser ubiquity is the term used in the industry to describe the estimated percentage
of Internet users that will inherently trust an SSL certificate. The lower the browser
ubiquity, the less people will trust your certificate - clearly, if you are operating
a commercial site you require as many people as possible to trust your SSL certificate.
As a general rule, any SSL certificate with over 95% browser ubiquity is acceptable
for a commercial site.
Ubiquity is however not the only consideration in deciding whether one SSL certificate
is better than another. Many companies running high transaction volume web sites
need to maximize customer confidence and therefore buy certificates from well known,
long time security vendors and mostly use the major players e.g. GeoTrust and Verisign
who are all WebTrust compliant.
If you have a low volume web site and you decide that your customers confidence
is not effected at all by the brand behind the SSL certificate, or the volume of
customers that would have an issue are insignificant in number, then RapidSSL or
RapidSSL Wildcard certificates are ideal.
What is SSL?
The SSL (and TLS) protocol is the Web standard for encrypting communications between
users and SSL (secure sockets layer) e-commerce sites. Data sent via an SSL connection
is protected by encryption, a mechanism that prevents eavesdropping and tampering
with any transmitted data. SSL provides businesses and consumers with the confidence
that private data sent to a Web site, such as credit card numbers, are kept confidential.
Web server certificates (also known as secure server certificates or SSL certificates)
are required to initialize an SSL session.
Customers know when they have an SSL session with a website when their browser displays
the little gold padlock and the address bar begins with a https rather than http.
SSL certificates can be used on webservers for Internet security and mailservers
such as imap, pop3 and smtp for mail collection / sending security.
What type of customer service do you offer?
We offer full telephone, email and web support to our FreeSSL, RapidSSL and Professional
Level customers. Our support staff are highly experienced in supporting SSL and
webservers and will be happy to help you with technical inquiries in the US from
8am to 8pm EST and in the UK from 9am to 5pm GMT.
What type of validation is required?
A trust hierarchy demands that entities "vouch" for each other. Companies that issue
SSL certificates are in the business of establishing that entities on the web are,
in fact, who they claim to be. The potential for criminal activity on the web (in
relevance to SSL anyway), is in online 'hijacking' of sites or connections to siphon
encrypted data. Persons so inclined can easily "copy" web site interfaces and pose
as well known vendors, simply to collect these data.
SSL certificates work to prevent this through ensuring that www.abc.com is, in fact,
ABC Co. In the "real world" we use identification procedures like photo ids, telephone
calls and papers of incorporation to know with whom we are dealing. If products
or services are defective, buyers can seek recourse. In the "online world", companies
wishing to use SSL certificates must prove to the certificate authority that they
have the right to present themselves online as ABC Co.
This is done through a variety of means in different SSL products. For the sake
of simplicity, consider the method started and championed by Verisign, as the 'traditional'
model. The process involves certificate petitioners faxing in their articles of
incorporation, and then waiting several days to be granted a certificate to do business
online under that name. There is a fair amount of overhead related to this task,
as these credentials are examined and reviewed, and full-service products in this
arena can cost hundreds of dollars.
There are newer, lower-cost alternatives in which certificates are issued more quickly.
These certificates verify that the certificate holder is the owner of that domain,
ensuring customers that domain name "owners" are who they claim to be.
There are also other validation options, like two-way, real-time telephony. Certificate
applicants are required to provide telephone numbers, and certificate authorities
call to verify basic information, yet another way to seek recourse in the event
So there are essentially two types of validation available, manual and automated.
Involves the validation of domain name ownership and business legitimacy using humans.
This process is traditionally slow and takes up to two working days, often longer.
A manually validated certificate usually contains the following information within
Computers, databases and automated routines validate domain name ownership and business
legitimacy. The process takes minutes rather than days. The GeoTrust QuickSSL product
and RapidSSL.com FreeSSL and ChainedSSL products use automated validation to issue
SSL certificates within 10 minutes. Their automated validation processes are WebTrust
compliant and use Domain Control validation and Unique Business Registration to
validate the applicant before issuing the certificate.
An automatically validated certificate, such as the GeoTrust or RapidSSL.com certificates,
contain the following information within the certificate:
What type of web site application. Low volume, professional
Perhaps the most important differentiation between all the SSL certificates available
on the market today, is the strength of the brand behind the SSL technology. SSL
technology besides ensuring secure transmission of data, is an essential element
in providing online customers with the confidence to buy or use a product or service.
For example, the greater the number of users visiting a website, the greater the
probability that some customers may not complete a transaction, simply because they
do not recognise or trust the brand behind the SSL technology.
Inevitably the well known brands from the credible long standing CAs are the most
expensive SSL certificates on the market. If you have a low volume or development
website and you decide that your customer's confidence is not affected at all by
the brand behind the SSL certificate or the volume of customers that would have
an issue are insignificant in number then the choice of CA and certificate is increased.
Low volume websites can therefore enjoy significant savings on the SSL purchases
by purchasing the lesser known brands of SSL certificates.
We suggest as a guide that if a website is performing more than 50 transactions
per week then, it is advisable to use a known SSL brand.
Another important consideration is the typical or average transaction value that
a website will process. If customers are expected to pay high amounts online the
greater the probability that some customers may not complete a transaction because
they do not trust the brand behind the SSL technology.
We suggest as a guide that if a website has an average transaction of greater than
50 USD, it is advisable to use a known SSL brand from a reputable CA.
When trying to go to the site over https, it displays
the message 'The page cannot be displayed'?
Usually caused by port 443 not allowed through firewall or by the SSL certificate
not having a corresponding key file.
Why do you ask for documentation when I apply for
We recognize that strong validation is essential for the continuing growth of ecommerce.
Before issuing a certificate we validate both that the applicant owns, or has legal
right to use, the domain name featured in the application and secondly that the
applicant is a legitimate and legally accountable entity. To do this, we need to
have access to documentation which verifies these two factors
Why does the secure part of the website say the name
on the security certificate is invalid or does not match the name of the site?
This is usually caused by the certificate having a Common Name of "domain.com" and
the customer is going to "www.domain.com"
Why does the website say the SSL certificate is 'Untrusted'?
The usual cause of this is that the intermediate certificate has not been loaded.
Why is browser recognition important?
If a website visitor is using a browser that does not contain the root CA certificate
used to issue the SSL certificate, they will be prompted with a security warning:
signifies that the SSL Certificate has been issued by a CA that the browser does
not trust. As more people upgrade their old browsers, this message becomes less
frequent. It is also worth noting that people who do not upgrade their browsers
are less technically and security savvy and hence are less likely to purchase from
Another consideration often overlooked concerning the overall ubiquity of a SSL
certificate is the issue over Webserver Compatibility. The SSL Certificate is required
to be installed onto a webserver. Generally, all webservers accept all SSL certificates
currently available but it is recommended to check with the CA to be sure. Webservers
such as Apache (including the website control panel variants), IIS, Webstar, Website
Pro, Java based, iPlanet, Zeus, Netscape server, Cobalt support the certificates
of all SSL certificates featured in this whitepaper.
There are few webservers still in use that do not support the use of intermediate
certificates. Such webservers are not SSL v3 compliant. If your webserver does not
support SSL v3, then you will need to select a CA that issues certificates directly
off its root such as GeoTrust and RapidSSL.com.
Why is encryption strength important?
The bigger the number, the longer it takes for computer(s) to crack or break the
- 40 bit: It is computationally feasible to crack a 40 bit key. For this reason 40
bit encryption is rarely used.
- 128 /256 bit: It is computationally unfeasible to crack a 128 / 256 bit key. All
banking infrastructures use 128/ 256 bit encryption. We strongly recommend the use
of 128 / 256 bit SSL encryption for any application or website.
Why is stability important for SSL certificates?
All SSL certificates issued by RapidSSL.com are issued from a trusted CA root certificate
that is owned by RapidSSL.com. This means that all our certificates are stable.
Owning and using our own root certificate means that RapidSSL.com is always in control
of its pricing. This gives us the ability to change pricing depending on market
dynamics ensuring that we will always offer our resellers the lowest cost SSL
certificate available in the market!
What is Wild Card Certificates?
Wildcard certificate is a secure SSL certificate that allows you to manage multiple
sub domains on a single domain on a server with a single Certificate. Wildcard SSL
certificates are designed to secure multiple sites that share the same second-level
What is EV?
Web sites secured with an EV certificate display a green address bar to demonstrate
to customers they have reached a highly authenticated site when viewed with high
security browsers. In addition to the green address bar, an adjoining field displays
both the names of the organization that owns the Web site and the CA that issued