logo
...

Build Instant User Trust

All SSL Certificates encrypt traffic. But not all SSL Certificates are the same.

ssl

Which SSL Certificate Is Right For You?

Navigating through the world of SSL can be challenging. There are so many different brands, and each of them have different names for their products. How does one decide what they actually need with so many choices? We're going to break it down into easier bits to digest.

Let's start with Validation, which is probably the most important piece of the trust equation. Validation is the process that the Certificate Authority or CA (the company that is creating your Certificate) uses to verify that the person/business requesting the Certificate is who they say they are, and that they are authorized to do so. There are 3 methods for this, and the process ranges from a few minutes, to about a week.

The first method is Domain Validation (DV). This is the most quickest, least trustworthy validation. The CA simply verifies that the requestor owns the domain. Next there is Business/Organizational Validation (OV). With OV, the CA verifies the business entity via a database search, and also does the domain control validation. Finally, there's Extended Validation (EV). EV has the same checks as OV & DV, but the CA does a deeper dive into the business, and also does a live callback, to verify.

Aside from the differences in validation, each method will also dictate what information is provided in the Certificate details. With a DV Certificate, only the domain name is listed. In an OV Certificate, the company name is also included. And With EV, there is full business information.

ssl

So now that we know the Validation types, we can look at the types of certs. Generally speaking they fall into 2 catagories; single domain, and multi-domain. Single domain options are pretty straight forward. One Certificate secures one domain. For multi-domain, there are 3 options; Wildcard which will secure multiple subdomains like *.domain.com.

SAN Multi-Domain which stands for Subject Alternate Names, which just means alternate domain names. Usually you can get up to 250 SAN items in a single domain. This is great for when you have domain.com, domain.net, someotherdomain.com, etc. Instead of having to generate keys and CSR's on each server, for each Certificate, you can simply create one and put them all in it, and install the same Certificate on all of the servers.

And finally, there's a relatively new type of Certificate called Flex SSL. Flex combines Wildcard and Multi-Domain SAN, so you can mix and match subdomains and domains in a single package.

Ready to buy?

We offer Certificates from 5 of the top names in digital assurance, at some of the lowest prices on the internet. Prices start at just $9.95/year, and all Certificates have multi-year discounts, bringing those costs down even further. Click on a brand to get started.

Expert Support

Help is just a few clicks away! Open a support ticket and relax. We'll help you sort out that pesky problem in no time.

support

Frequently Asked Questions

You've got questions, we've got answers. Still have questions? Contact us!

SSL stands for Secure Sockets Layer. It's actually an outdated term, as SSL was replaced by Transport Layer Security (TLS) a long time ago, but most people still refer to it as SSL anyway. It is a digital encryption protocol used to encrypt/secure information sent from a browser to a server, or server to server. SSL certificates are used to protect sensitive information like credit card numbers, usernames, passwords, email addresses, etc.

When a web browser connects to a server over the HTTPS protocol, the server sends a copy of it's SSL Certificate to the browser. The browser verifies the certificate against the Trusted Root built into the browser, and makes sure the server is who it says it is. Once verified, they pass each other keys to generate the session keys, and a secure tunnel is setup.

A Certificate Authority (CA) is a company who issues SSL Certificates from their Trusted Root cryptography key. These keys are installed in web browsers, so that the keys they issue can be validated. Trusted CA's are the partners that we resell for like, DigiCert, GeoTrust, GoGetSSL, Sectigo, & Thawte. Additionally, there are free providers like LetsEncrypt, and CloudFlare.

A Certificate Signing Request (CSR) contains information about your domain/company that the Certificate Authority (CA) will use to create your SSL Certificate. You generate this from the server where you plan to install the Certificate. The process is different based on the web server software you use, but the end result is the same. You get an encoded file that contains the details of the CSR, with the public key. You also generate a private key. You send the CSR to the CA, with the matching details for your domain, and they generate the SSL Certificate for you.

Domain Validated SSL Certificates can be validated in one of three ways:

  • Email Email validation is the quickest and easiest. When you place a Certificate order, it will ask you to select the authorized email from a list. The following options will be presented:
    • admin@domain
    • administrator@domain
    • hostmaster@domain
    • postmaster@domain
    • webmaster@domain
    • Any contact email listed on the domain registration

    When the order is processed, you'll get an email with a code and link to validate. Once you go to that link and provide the code, Domain Control has been verified.

  • HTTP Hash The file hash method requires you to upload a file onto the server that you're going to install the Certificate on. The file contains a hash from the CSR. Once the file is available, validation can happen pretty quickly.

  • DNS CNAME The CNAME method requires you to create a CNAME record in your domains DNS zone, from a hash from your CSR. This can take up to 24 hours to validate.

Organization Validation does the same basic domain control check as DV, then a business registration check. This can usually be done by the CA online, by searching DUNS or Yellow Pages. If they're unable to find this information, then they're request some documentation from you, like your business registration or Articles of Incorporation. The process usually takes 1-3 days, depending on how quickly they start the process, and how quickly you respond to any requests.

Extended Validation uses the same method as OV, just a much more thorough validation. The first step is signing a Subscriber Agreement and Certificate Request Form. These give some basic information for the CA to start the vetting process, as well as you agreeing to the terms. Once they have that, they do the business validation. That is followed by the domain control check. Finally, they initiate a manual callback to the number listed on your business database. They ask for a confirmation that you ordered the EV Certificate and approve it.

Flex SSL Certificates allow you to mix and match Fully Qualified Domains Names (FQDN), and Wildcard SAN items. This gives you the flexability to completely customize your Certificate with all of the possible combinations of your domains and IP addresses. Not only on order, but also throughout the life of the Certificate. You simply purchase a new SAN for each item you wish to add, and reissue the Certificate. This is a huge time and money saver, since you no longer need to manage multiple Certificates across all of your servers. It also saves on IP space, since you don't need to reserve an IP address for each domain/Certificate combo, as you normally would.

Short answer, probably not. Longer answer, maybe. It really depends on your hosting setup. Dedicated IP's used to be a requirement, due to the way that web servers served web sites. However, way back in 2003 Server Name Indication (SNI) was added to the TLS protocol. SNI allows virtual hosts (websites on shared IP's) to serve a different SSL Certificate per domain, instead of being tied to individual IP's. Since this has been the standard for several years now, it's most likely that you're using SNI, and your users browsers will support it. If you're worried about supporting Windows XP users or very old Blackberry clients, then definitely get a dedicated IP. Otherwise, just double check with your web host.

The old saying, "if it sounds too good to be true, it probably isn't" does not apply here! Being a reseller for a large SSL provider, gives us deep discounts over retail, that we're able to pass on to you. We're not the cheapest, but we certainly try to be in the lowest range.

Yes. Every website should have an SSL Certificate now. As of 2018, Google started (publicly) penalizing websites that do not have SSL Certificates. They did so by putting a warning in their browser that your site is insecure. Other browsers quickly followed suit. The other area where you are penalized is in search rankings. The dirty secret is that they've done this for much longer. So if you spend any time doing SEO, and you don't have an SSL Certificate, it's partly wasted effort.

Just get a cert! For your average blog or other site where you are not taking personal information, you can just get a free Certificate from LetsEncrypt or CloudFlare. If you're taking any sort of personal information or credit cards, you absolutely should get a validated cert from a trusted CA.