A comprehensive guide to SSL certificates
Need to secure your site, but not sure where to start? Check out our helpful guide to SSL certificates and get informed.
A full range of SSL products are available on the market today that cater to various domain and security needs. Though many webmasters are exploring the possibilities, hoping a move to SSL will boost their search rankings, it can be overwhelming to try to compare these options, let alone fully understand what you’re paying for.
Many SSL providers offer a wealth of add-ons, which makes comparing providers relatively difficult. This guide will help answer several common questions so that you can find the certificate that best suits your needs:
- What type of SSL certificate should I purchase?
- Should I use a free certificate or purchase one from a vendor?
- Which certificate is best for securing a sub-domain? Multiple domains?
- How much warranty coverage do I need?
- How do I troubleshoot common installation problems?
What is an SSL certificate?
Before we tackle those questions, let’s cover the basics. SSL stands for Secure Sockets Layer, a security method which allows for the encryption of data when being transferred over a server. SSL certificates help to protect the transfer of sensitive information such as credit card numbers, passwords and usernames, Social Security numbers and more.
How does it work?
SSL certificates utilize a public and a private key, which work together to establish an encrypted connection. Typically, data sent between a browser and a web server is sent as plain text, which can leave you vulnerable to hackers.
Why use SSL?
The benefit of using an SSL certificate is that it offers encrypted protection during the online transfer of sensitive information. (Indeed, you are required by the Payment Card Industry (PCI) to have an SSL certificate if you collect credit card information on your site.) SSL certificates can also help you gain your customers’ trust and protect against phishing schemes.
Additionally, Google now provides a slight ranking boost to websites using HTTPS. Technically, Google still only looks at the first five characters in the URL, meaning that your site could leverage the HTTPS protocol without a valid certificate in place and still receive a ranking boost. However, as Google’s Gary Illyes suggested, more stringent checks will eventually be put into place.
There are three common types of certificates. Choosing the right one will be based on the level of security your website needs.
A domain-validated SSL certificate, otherwise known as a low assurance certificate, is the standard type of certificate issued. Automated validation ensures that the domain name is registered and that an administrator approves the request. In order for the validation to be completed, the webmaster must either confirm via email or configure a DNS record for the site.
- Processing time: a few minutes to a few hours
- Recommended for: use on internal systems only
An organization-validated certificate, or high assurance certificate, requires real agents to validate the domain ownership, plus organization information such as name, city, state and country. Similar to a low assurance certificate, it requires additional documentation to verify the company identity.
- Processing time: a few hours to a few days
- Recommended for: all businesses and companies
Example of an organization-validated certificate
An EV certificate, or extended validation certificate, is a new type of certificate that requires the most rigorous validation process. This type of certificate checks to ensure that the business is a legal entity and requires business information be provided as proof of domain ownership. Standard SSL certificates do not represent that your website is being operated by a legitimate, verified business.
One exclusive feature of purchasing an EV certificate is that your website browser bar will display a green padlock. This can help to bolster consumer confidence and provide reassurance that the transaction is secure.
- Processing time: a few days to a few weeks
- Recommended for: all e-commerce businesses
Pricing & vendors
Who should I purchase from?
When it comes to SSL, some of the big names are GeoTrust, DigiCert, Symantec (formerly Verisign) and more. There are also third-party resellers, such as NameCheap and Comodo, which offer the same protection at discounted prices.
What about free certificates?
Why pay for something that’s free, you ask? When a user visits a website that is secured with a self-signed, or free SSL certificate, most web browsers will post an error message. While some people will click “I understand the risks” and proceed to your site, it’s likely that many people will click the “Get me out of here!” button and never return.
The real problem lies in the fact that self-signed certificates are virtually unregulated. If your site is compromised, it may still appear secure; however, certificates issued by a trusted certificate authority can be revoked and therefore alert users of any potential threats.
The only time a self-signed certificate should be used is when testing behind a firewall. You can get around purchasing a certificate altogether if you use a company like PayPal to handle your transactions, as the PayPal site will secure the transaction on your behalf.
What kind of warranty should I look for?
Like any type of insurance, SSL certificates vary significantly in price based on the amount of warranty coverage they offer. However, the warranty that you get when you purchase an SSL certificate can be misleading. It is not a warranty to the purchaser (you) but rather to the end users.
In a nutshell, if a consumer suffers a monetary loss after making a purchase on a fraudulent website, the certificate authority is technically at fault for not displaying a browser warning and failing to protect the consumer. In this situation, the warranty value would be paid out to the customer, given that the amount being disputed is less than the warranty itself.
Take note, this practically never happens! If a user were to get scammed by a website, the first course of action they would likely take is to contact their credit card company. However, in order to make good on the warranty, the end user would have to take note of which SSL provider the fraudulent website was using and contact them directly. While having a substantial amount of warranty coverage may give you peace of mind, it’s often used as a tactic to convince you to pay more for the same product.
Securing multiple properties
Single-name SSL certificates protect a single domain. For example, if you were to purchase a certificate for www.wonderfullywhisked.com, it would not secure baking.wonderfullywhisked.com.
Wildcard certificates allow you to secure an unlimited number of subdomains that live off a singular root domain. For example, say you want to secure the domain www.wonderfullywhisked.com and its subdomains. You would need to request a wildcard certificate with *.wonderfullywhisked.com as the common name. This certificate would secure www.wonderfullywhisked.com, baking.wonderfullywhisked.com, cooking.wonderfullywhisked.com, etc.
Wildcard certificates can easily pay for themselves over time, especially if you need to secure four-plus subdomains. As an added benefit, it’s much easier to manage one wildcard certificate than 12 single certificates.
Multi-domain certificates can protect upwards of 210 different domains with a single certificate (depending on the provider you choose).
Troubleshooting common problems
There are a few common errors which can invalidate your SSL certificate:
- Serving mixed content
- Certificate name mismatch error
- Missing intermediate certificate
- Expired certificate
- Certificate viewed is not the one installed
A certificate mismatch error often results from requesting an SSL certificate for what you assume your domain name is, but it does not actually match the domain itself. For example, if your website is secured by a certificate that specifies “www.wonderfullywhisked.com” and your website is loading a non-www version, a mismatch error will occur.
For an HTTPS connection to be established, the domain in the browser bar must be an exact match with the domain you entered when you registered the certificate.
Many people overlook the fact that you must install an intermediate/chain certificate in order for your certificate to function properly. Depending on your server type, you may be required to use one or two intermediate certificates.
Always ensure your certificate is up to date. Many browsers will allow you to check this under their Advanced Settings, but you can also use SSL Shopper’s SSL Checker to get this information. Most certificates can be renewed as early as 90 days before they expire.
If a certificate appears that is not the one you just installed, that is because only one certificate can be installed on both the same IP and socket number. The one installed first will be recognized.
Choosing a certificate
Choosing an SSL certificate can be complicated, since not all providers offer all the same certificate types. To simplify the process, you can refer to the table below, which outlines the certificate offerings from six of the major SSL providers. If you plan to stick with the same SSL provider for more than one year, you can often receive a substantial discount if you pay for two or more years upfront.
Purchasing through a third-party reseller tends to be the cheapest option — the only caveat being the quality of customer assistance you may receive.
How to choose a certificate:
- Identify the property types you wish to protect (domain, sub-domain).
- Identify if you need protection for a single property or multiple properties (wildcard or multiple domain).
- Then, decide which level of protection you need.
- domain-validated — LOW
- organization-validated — MEDIUM
- extended validation — HIGH