Over the years, we’ve run across a surprising number of business owners befuddled by the SSL certification options available to them.
Though they’ve taken their business online, the customers weren’t following.
Many have obtained digital certificates, but couldn’t say exactly why or which kind.
Admittedly, digital certificates do offer an intimidating variety of options.
Can a small business owner be expected to know if a Rapid OV-MD-SSL Certificate is what he really needs?
Must he hire someone to handle that entire side of his operation?
We say no.
With a little effort, anyone can parse through the seemingly exotic subject matter and make an informed choice.
This guide should help them do just that.
But let’s start with some clarifications — call it a quick refresher for those already familiar with the subject.
SSL: An Overview
Companies live and die by the mutual trust they manage to establish with their users.
Some customers share names and locations over a social network
Others submit credit card info to make a purchase.
All must feel confident enough that their data won’t be intercepted or mismanaged.
That’s what encryption and certification can provide.
SSL (Secure Sockets Layer) is an encryption protocol meant to assure the security of data exchanged over a network.
An SSL certificate is a third party’s digital guarantee that data will remain private between the user and the website.
Vendors offer a wide variety of SSL certificates to websites. Without them, their users cannot safely enter login data or credit card numbers.
Every browser comes with a built-in list of trusted providers (Certificate Authorities).
These warn users when they are about to access a website that has not been secured.
Additionally, popular search engines prioritize certified websites (HTTPS) over noncertified ones (HTTP).
Now that we’ve covered the basics, let’s tackle each of the certificate types in turn.
SSL Certificate Types
There are several different ways of looking at SSL certificates.
Before choosing the right option, let’s consider the breadth and the depth of the coverage they provide.
In addition, the authority that issues the certificates is also worth a look.
SSL Certificate Types by Breadth
This criterion differentiates SSL certificates by the number of different domains they secure.
While we might assume that one certificate per website is a sensible ratio, that’s not always the case.
It’s fairly common for a growing company to start adding websites to a network, and out of necessity, start purchasing certificates for each one independently.
Fortunately, there are cost-effective alternatives to this.
Single Domain (SD) Certificate
As the name suggests, a Single Domain Certificate applies to one domain only.
For example, an SDC of yourdomain.com means that security standards are certified for all the web pages on that site.
This option usually comes with minimal authentication (see Depth, below).
If we can prove that we own the website, we’ll be certified almost instantly.
A typical blogger or a small business owner needn’t ever look further than a Single Domain Certificate.
But if our business plan involves online expansion, we should consider the other options detailed below.
Wildcard (WC) Certificate
A variant of the Single Domain Certificate, this one secures a single domain and all the subdomains within it.
For example, a Wildcard Certificate of yourdomain.com would also cover any number of subdomains added later.
This might include login.yourdomain.com, download.yourdomain.com, and others
This type of certificate adds a measure of flexibility that a growing online business can come to appreciate.
On the other hand, the extra cost is also considerable.
Multi-Domain (MD) Certificate
This one is also self-explanatory — the MD Certificate covers several independent domains at once.
Businesses with a significant online footprint are the ones commonly opting for this.
It’s costlier than an SDC, but still more affordable than getting a separate SDC for each website we add to our network.
More than a cost-saving measure, an MD Certificate can also lighten a system administrator’s workload.
It’s easier to maintain a single certificate for the entire network than juggle several at once, each with its own requirements.
Occasionally, the Multi-Domain Certificate is referred to as a SAN (Subject Alternative Name) Certificate.
This is in reference to the core function of MDC — the ability to include additional hostnames specified.
Unified Communications (UC) Certificate
Unlike other MD certificates, the UCC lists all the secondary domains and servers as part of a single network.
Designed for the Microsoft Exchange environment, we have it listed here as an example of a specialized MDC.
It allows for company-specific ways of client data management, which only the largest of businesses find beneficial.
SSL Certificate Types by Depth
This criterion differentiates SSL certificates by the amount of verification that the Certificate Authority (CA) provides.
The deeper they look into a business, the stronger the guarantee they offer.
Consequently, this depth of service also entails a higher cost.
Domain Validated (DV) Certificate
At the basic level, the CA confirms only that the certificate applicant is the owner of the registered domain.
This is enough to grant the certified website the standard visual indicators — HTTPS and a padlocked address bar.
Individuals and small businesses typically find this depth of validation sufficient.
In fact, even the smallest sites that require users to log in are DV-certified these days.
In most cases, DV Certificates are easy to obtain through straightforward vetting.
There’s currently a broad movement toward gradually deprecating non-secure connections.
Thanks to this, we can reliably get a DVC for free from certain sources.
Organization Validated (OV) Certificate
At the OVC level, the Certificate Authority vouches for the identity and legal standing of the organization.
Business registration standards vary by locale, of course.
Still, the CA can apply its own criteria to verify that a company is operating in good faith.
Small- and medium-sized businesses are the ones who get OV certificates.
These can be obtained fairly quickly, but they do not include the much vaunted “green bar” (see below).
Extended Validation (EV) Certificate
As top-tier authentication, EVC requires thorough business vetting procedures.
Companies that meet this high standard inform their customers via the browser’s “green address bar,” at least in some browsers.
Chrome, Firefox, or Safari show a green padlock instead.
Almost exclusively, large companies choose this premium-level certificate.
They’re willing to pay a considerably higher cost to show how much they value user safety.
Research has indicated that this type of focused trust-building is a sound investment.
Finally, let’s look into the people who provide the certificates themselves — the CA and ICA. Keep in mind that there’s more than the cost to consider when dealing with (intermediary) certificate authorities.
As is often the case with online services, it’s the providers themselves that can present an unforeseen security risk.
Globally Trusted SSL Certificates
On the global scale, the CA market is quite crowded, so many users seek local solutions.
Regional providers of a limited reach often find it easier to deal with local laws on accreditation and certification.
Still, multinational companies hold the lion’s share of the market.
While their business practices are threatened by X.509 protocols (see below), they’re also facing some specific issues:
- Authorization: A CA doesn’t issue certificates itself, but leaves it to a licensed ICA (Intermediary Certificate Authority). The licensing of these intermediaries has been a potential point of exploit. Experts have proposed certain device-centric alternatives, but none have gained traction yet.
- Reliability: Similarly, CAs sometimes issue certificates to bad actors, allowing man-in-the-middle exploits. If a “trusted third party” compromises a certificate’s authenticity, the encrypted communication is no longer safe. Anyone could be listening in, gaining access to sensitive data. These issues are often resolved quickly, but they irreparably damage the trust between the certified company and its users.
Self-Signed SSL Certificates
Instead of paying a trusted Certificate Authority, some companies choose the free alternative.
Taking advantage of initiatives put forth by non-profits, they get free domain validation via X.509 certificates.
Growing in popularity, these models have one obvious advantage and several disadvantages.
Here’s just a couple of the latter:
- Compatibility: The official trust status of these certificates varies over time, trending downwards. When browsers start issuing warnings about untrusted certificates, it’s usually too late.
- Implementation: Nonprofits lack the ability to issue Extended Validation Certificates. Instead, they rely on web-of-trust systems for baseline DVC. This means that users physically meet to verify each other’s identities — another potential point of exploit.
With all this in mind, everyone should be able to make an informed decision on SSL certification.
As usual, the most important part is being aware of a company’s needs and requirements.
There’s no overall “best” type of certificate that we can get — it’s all relative to the business we’re in, as well as our customers’ profile and our purchasing power.
So yes, there’s a lot to consider. SSL certificates are an unavoidable reality of doing business online.
Choosing the wrong option might send a company spiraling toward bankruptcy.
Meanwhile, choosing the right one might increase its profile by that vital margin that both our competitors and we are after.