Digital SSL certificates. Varieties, how to choose?

There are many digital certificates, each of which serves for its own purposes. The most common type of certificate is naturally SSL certificates, which also have several subtypes. There are also Code Signing certificates, Website Anti Malware Scanner certificates and Unified Communications certificates.

Since we are selling all types of certificates, we gained a certain amount of experience with certificates and knowledge of how to choose the right certificate for a specific situation. I will try in several posts to share this information.

So if you have the task of raising a secure https connection for your site, then in this post I will try to reveal all the details and features of SSL certificates to make the right choice easier.

Let's start with the most common SSL certificates.

SSL certificates are the most common type of certificate on the Internet at the moment. Most often they are used in online stores, that is, on sites where there is an order function and where the customer enters their personal data. In order for this data to be impossible to intercept at the time of transfer from the browser to the server, the special HTTPS protocol is used, which encrypts all transmitted data.

In order to activate the ability to operate the HTTPS protocol, you just need digital SSL certificates (you will also need a dedicated IP for a specific site).

What is an SSL certificate?


SSL is short for Secure Socket Layer, a standard Internet security technology that is used to provide an encrypted connection between a web server (site) and a browser. SSL certificate allows us to use https protocol. This is a secure connection that ensures that the information that is transferred from your browser to the server remains private; that is, protected from hackers or anyone who wants to steal information. One of the most common examples of using SSL is protecting a client during an online transaction (purchase of goods, payment).

How to get an SSL certificate?


The easiest and most free way is to use the so-called self-signed certificate, which can be generated directly on the web server. By the way, in all the most popular hosting control panels (Cpanel, ISPmanager, Directadmin) this feature is available by default, so we’ll omit the technical side of the certificate creation process now.

Plus, a self-signed certificate is its price, or rather its absence, since you do not pay a dime for such a certificate. But of the minuses is that all browsers will give an error for such a certificate, with a warning that the site has not been verified.


That is, for official purposes and for internal use, such certificates are suitable, but for public sites, and even more so for sites that sell services, such certificates are contraindicated. Judge for yourself, would you like your client to see this error on the whole screen when ordering a service? As practice shows, most customers enter such a page into a stupor and discourage the desire to continue the order further.

Why do browsers give such a warning for self-signed certificates and how to avoid this? To answer this question you will need to talk a little about the principles of SSL certificates themselves.

How does an SSL certificate work?


So, in order to get an SSL certificate, the very first thing to do is to form a special request for certificate issuance, the so-called (Certificate Signing Request). When forming this request, you will be asked a series of questions to clarify details about your domain and your company. Upon completion, your web server will create 2 types of cryptographic keys - a private key and a public key.

The public key is not private and is placed in the CSR request.
Here is an example of such a query:
----- the BEGIN CERTIFICATE ----- the REQUEST
MIIC3zCCAccCAQAwgZkxCzAJBgNVBAYTAlVBMQ0wCwYDVQQIEwRLaWV2MQ0wCwYD
VQQHEwRLaWV2MRQwEgYDVQQKEwtIb3N0QXV0b21hdDEQMA4GA1UECxMHaG9zdGlu
ZzEmMCQGCSqGSIb3DQEJARYXc3VwcG9ydEBob3N0YXV0b21hdC5jb20xHDAaBgNV
BAMTE3d3dy5ob3N0YXV0b21hdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDTg7iUv / iX + SyZl74GcUVFHjFC5IqlTNEzWgLWrsSmxGxlGzXkUKid
NyXWa0O3ayJHOiv1BSX1l672tTqeHxhGuM6F7l5FTRWUyFHUxSU2Kmci6vR6fw5c
cgWOMMNdMg7V5bMOD8tfI74oBkVE7hV95Ds3c594u7kMLvHR + xui2S3z2JJQEwCh
mflIojGnSCO / iv64RL9vjZ5B4jAWJwrruIXO5ILTdis41Z1nNIx3bBqkif0H / G4e
O5WF6fFb7etm8M + d8ebkqEztRAVdhXvTGBZ4Mt2DOV / bV4e / ffmQJxffTYEqWg8w
b465GdAJcLhhiSaHgqRzrprKns7QSGjdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOC
AQEAuCfJKehyjt7N1IDv44dd + V61MIqlDhna0LCXH1uT7R9H8mdlnuk8yevEcCRI
krnWAlA9GT3VkOY3Il4WTGg3wmtq6WAgLkVXQnhIpGDdYAflpAVeMKil8Z46BGIh
KQGngL2PjWdhMVLlRTB / 01nVSKSEk2jhO8 + 7yLOY1MoGIvwAEF4CL1lAjov8U4XG
NfQldSWT1o8z9sDeGsGSf5DAXpcccx0gCyk90HFJxhbm / vTxjJgchUFro / 0goVpB
credpKxtkwBMuCzeSyDnkQft0eLtZ9b9Q4 + ZNDWsPPKxo / zWHm6Pa / 4F4o2QKvPC
Px9x4fm + / + xHqkhkR79LxJ EHzQ ==
----- ----- END CERTIFICATE REQUEST
data contained in this vein can be easily checked using the services CSR Decoder. As an example: CSR Decoder 1 or CSR Decoder 2 . The second service provides more information about the CSR and checks it for validity, the Signature field in the scan results.

If we insert such a request into the form for its decryption, we will see what data is contained in the public key.

CSR Information:
Common Name: tuthost.ua - the domain name that we protect with such a certificate
Organization: TutHost - name of the organization that owns the domain
Organization Unit: Hosting department - unit of
Locality: Kiev
organization
- the city where the office of
State: Kiev
organization is located
- region or state
Country: UA - two-letter code, country of office.
Email: support@tuthost.com - contact email of technical administrator or support service
Important point - pay attention to the Country field - the format of this field implies only a two-letter code according to the ISO 3166-1 standard, if you are not sure about the code of your country, then you can check it for example here: Table ISO-3166-1 . I draw attention to this field because the most common mistake our customers make when generating a CSR request is the wrong country code. And as a result, it is impossible to issue a certificate with such a CSR.

After the CSR is generated, you can proceed to the application for the issuance of a certificate. During this process, the certification authority (CA - Certification Authority) will verify the data you entered, and after successful verification, will issue an SSL certificate with your data and enable you to use HTTPS. Your server will automatically match the issued certificate with the generated private key. This means that you are ready to provide an encrypted and secure connection between your site and the client browser.

What data does the SSL certificate contain?

The following information is stored in the certificate:
  • full (unique) name of the certificate holder
  • owner public key
  • date of issue of ssl certificate
  • certificate expiration date
  • full (unique) name of the certification authority
  • publisher digital signature


What are certificate authorities (CA)?

This is an organization that has the right to issue digital certificates. It checks the data contained in the CSR before issuing a certificate. In the simplest certificates, only the conformity of the domain name is checked; in the most expensive, a number of checks are made of the organization itself, which requests the certificate. We will talk about this below.

So, the difference between self-signed free and paid certificates issued by a certification authority lies precisely in the fact that the data in the certificate is verified by a certification authority and when using such a certificate on a site, your visitor will never see a huge error on the whole screen.

Generally speaking, SSL certificates contain and display (at least one of) your domain name, your organization name, your address, city and page. Also, the certificate always has an expiration date and information about the certification authority responsible for issuing the certificate. The browser connects to the secure site, receives an SSL certificate from it and makes a series of checks: it does not expire the certificate, then it checks whether the certificate is issued by a certificate authority (CA) known to it, and if the certificate is used on the site for which it was issued.

If one of these parameters fails, the browser displays a warning to the visitor to notify that this site is not using a secure SSL connection. He offers to leave the site or continue browsing, but with great care. This is the last thing you should see your potential customers.

There are a lot of certification centers, here is a list of the most popular:
Comodo - operates since 1998 headquartered in Jersey City, New Jersey, USA.
Geotrust - founded in 2001, sold in 2006 by Verisign, headquarters of Mountain View, California, USA
Symantec - a former Verisign which also includes Geotrust. I bought everyone in 2010.
Thawte - founded in 1995, sold by Verisign in 1999.
Trustwave - operating since 1995, headquartered in Chicago, Illinois, USA.

As you can see, the largest player in the SSL certificate market is Symantec, which owns the three largest certificate authorities - Thawte, Verisgin and Geotrust.

Is there a difference in which certification authority to order a certificate?

The main difference between different certificate authorities is in the price of certificates and in how many browsers their root certificate is installed. After all, if the browser does not have the root certificate of this certification authority, then a visitor with such a browser will still receive an error when entering the site with a certificate from such a center.
As for the above certification authorities, their root certificates are installed in perhaps 99.99% of all existing browsers.

To check the root certificates of which certificate authorities are installed in your browser, it is enough to find such an option in your browser settings. (In Chrome Settings -> show advanced settings -> certificate management -> Trusted Root Certification Authorities). Chrome has more than 50 of these root certificates.

The important point is that often the situation arose for clients when an SSL certificate was installed on the server, but when they enter the site, the browser still gives an error. Such a situation may arise either because the root certificate of the issuing center is not in the ca-bundle.crt file or the root certificate is out of date. Root certificates also have a validity period (in browsers they are updated when the browser is updated).

Since July 2010, certification centers switched to using 2048bit RSA Keys, therefore, for the correct operation of all new certificates, it is necessary to install new root certificates.
If new root certificates are not installed, this can cause problems with the correct installation of the certificate and recognition by some of the browsers.
Links to the pages of certification authorities where you can download new root certificates are given below.

RapidSSL Certificate

GeoTrust SSL Certificates

Thawte SSL certificates

VeriSign SSL Certificates

Buying certificates directly from certification authorities is not profitable, since the price for end users is significantly higher than for partners, and besides, if you need to close such a purchase in accounting, then this will also be difficult. It is most beneficial to buy such certificates through partners. Partners purchase certificates in bulk and have special prices, which makes it possible to sell certificates much cheaper than directly at a certification center.

So we come close to the types of SSL certificates.

What types of SSL certificates exist?



Between themselves, certificates differ in properties and level of validation.

Types of certificates by type of validation


  • Certificates that confirm only a domain name (Domain Validation - DV).
  • Certificates that confirm the domain and organization (Organization Validation - OV).
  • Certificates with Advanced Validation (Extendet Validation - EV).

We will deal with them in order:

Domain Only Certificates

These are the simplest certificates, it is your choice if you need a certificate urgently, as they are issued automatically and instantly.
When checking such a certificate, a letter is sent with a special link that you need to click to confirm the issuance of the certificate.

The important point is that this letter can only be sent to the so-called approver email that you specify when ordering a certificate. And there are certain requirements for the approver email address, it must either be in the same domain for which you order the certificate, or it must be specified in the whois of the domain.
If you specify email in the same domain as the certificate, then you cannot specify any emal either, it must match one of the templates:
admin @
administrator @
hostmaster @
postmaster @
webmaster @
Another important point: sometimes certificates with instant release fall for additional manual verification by the Certification Authority, certificates for verification are randomly selected. So it is always worth remembering that there is a small chance that your certificate will not be issued immediately.

SSL certificates with domain validation are issued when the certification authority verified that the applicant has rights to the specified domain name. Verification of information about the organization is not carried out and no information about the organization is displayed in the certificate.

Certificates with organization validation.

Such a certificate will already contain the name of the organization. A private person cannot receive such a certificate. The term for issuing such certificates is usually from 3 to 10 working days, depending on the certification authority.

The process of issuing OV certificates

After receiving a request to issue a certificate with an organization verification, the certification center checks whether the organization really exists, as indicated in the CSR, and whether the specified domain belongs to it.

What is checked in such cases?

At different certification authorities, verification is slightly different, so I will give a general list of points that can be checked or requested:

  1. The presence of the organization in the international yellow pages - is not checked by all certification centers
  2. The presence of the name of your organization in whois domain is mandatory, and if it is not indicated there, you will most likely require a letter of guarantee in which you must indicate that the domain really belongs to the organization, sometimes they may require confirmation from the registrar
  3. Certificate of state registration - less and less required, more often now verification is carried out through special companies that check the existence of the organization through their channels. For example, for Ukraine you can be checked on the basis of EDRPOU
  4. An invoice from the telephone company, which contains the name of your organization and your phone number indicated in the order - this checks the validity of your phone. Demand less and less.
  5. Test call - more often the correctness of the phone is checked by making a call to the phone number specified by you in the order. When calling, they will ask the employee indicated in the administrative contact. Not all certification authorities have Russian-speaking employees, so warn the person who answers the phone that a call from an English-speaking company is possible.

Extended Validation Certificates.

These are the most expensive certificates and the most difficult to obtain. Such certificates contain the so-called “green bar” - that is, when you enter the site where the certificate is installed, a green line will appear in the address bar of the visitor’s browser, indicating the name of the organization that received the certificate.

Here's what it looks like on Thawte's website.


Such certificates have the highest level of trust among advanced visitors to your site, since the certificate indicates that the company really exists, has passed a full audit and the site really belongs to it.

SSL certificates with extended verification (EV) are issued only when the certification authority (CA) performs two checks to ensure that the organization has the right to use a specific domain plus the certification authority performs a thorough verification of the organization itself. The process for issuing EV certificates is standardized and must strictly comply with the EV rules that were created at the 2007 CA / Browser Forum. It indicates the necessary steps that a certification authority must perform before issuing an EV certificate:
  1. Must check the legal, physical and operational activities of the subject.
  2. Must make sure that the organization complies with official documents.
  3. You must ensure that the organization has the exclusive right to use the domain specified in the EV certificate.
  4. You must ensure that your organization is fully authorized to issue an EV certificate.


The list of what will be specifically verified is the same as for certificates with verification of the organization.

EV certificates are used for all types of businesses, including government and non-profit organizations. Release requires 10-14 days.

The second part of the rules is relevant for the certification authority and describes the criteria that the certification authority must meet before obtaining permission to issue an EV certificate. It is called, EV audit rules, and every year there is a check for compliance with these rules.

Types of SSL certificates by their properties.


Regular SSL certificates

Everything is clear here, these are certificates that are issued automatically and confirm only the domain. Suitable for all sites.
Price: from $ 20 per year

SGC certificates

Certificates that support enhanced encryption. Actual for very old browsers that supported only 40 or 56 bit encryption. When using this certificate, the encryption level is forced to increase to 128 bits.
For all the time we have not bought more than one such certificate. My opinion is that they are no longer needed, except for internal use in large corporations, where very old iron has been preserved.
Price: from $ 300 per year.

Wildcard certificates

They are necessary in the case when, in addition to the main domain, you need to provide encryption also on all subdomains of the same domain. For example: there is a domain.com domain and you need to install the same certificate on support.domain.com, forum.domain.com and billing.domain.com
Tip: count the number of subdomains for which you need a certificate, sometimes it’s more profitable to buy several ordinary ones separately certificates.
Price: from $ 180 per year. As you can see, if you have less than 9 subdomains, then it’s cheaper to buy a regular certificate, although one wildcard will be more convenient to use.

SAN certificates

Useful if you want to use one certificate for several different domains hosted on the same server. Typically, such a certificate includes 5 domains and their number can be increased in increments of 5.
Price: from $ 395 per year

EV certificates

These are the very certificates with extended verification and a green line in the browser that we talked about above. Only a legal entity, commercial, non-profit or state organization can receive them.
Price: from $ 250 per year.

IDN Support Certificates

As a rule, not all certificate authorities have this option specified in the certificate description, but not all certificates support work with IDN domains. Therefore, I will simply list here the certificates that have this support:
  • Thawte SSL123 Certificate
  • Thawte SSL Web Server
  • Symantec Secure Site
  • Thawte SGC SuperCerts
  • Thawte SSL Web Server Wildcard
  • Thawte SSL Web Server with EV
  • Symantec Secure Site Pro
  • Symantec Secure Site with EV
  • Symantec Secure Site Pro with EV

How to choose the cheapest certificate?

Geotrust has the cheapest SAN certificates. Certificates with validation of only the site, as well as wildcard, are most profitable with RapidSSL. EV certificates are also the cheapest from Geotrust. Only Thawte and Verisign have SGC certificates, but Thawte is cheaper.

What are the differences between certificates

  • Speed ​​of release. The fastest issued certificates with domain-only validation, the longest with EV validation, from 7 business days.
  • The number of re-issuance of a certificate is unlimited for most certificate authorities. Required if you make a mistake in the organization data.
  • Warranty - for some certificates there is a warranty of $ 10,000. This guarantee is probably not for the buyer of the certificate, but for the visitor to the site where the certificate is installed. If a site visitor with such a certificate suffers from fraud and loses money, then the certification center is obligated to compensate them to it up to the amount specified in the guarantee. That is, the certification authority, as it were, gives a guarantee on its certificates and that they cannot be installed on the “left” domain. In practice, such cases are not known to me, so you can ignore this parameter.
  • Free trial period - Symantec secure site, geotrust rapidssl, comodo positive ssl, thawte ssl web server have paid certificates. You can also use free certificates for tests: StartSSL ™ Free
  • Refund - almost all certificates have 30 days, although there are certificates without a moneyback period


Useful utilities:


  1. OpenSSL is the most common utility for generating a public key (certificate request) and a private key.
    http://www.openssl.org/
  2. CSR Decoder - a utility for checking CSR and the data that it contains, I recommend using it before ordering a certificate.
    CSR Decoder 1 or CSR Decoder 2
  3. DigiCert Certificate Tester - utility for verifying the certificate itself
    http://www.digicert.com/help/?rid=011592
    http://www.sslshopper.com/ssl-checker.html


In the following parts I will try to talk about the other types of certificates.

P.S. с удовольствием отвечу на любые вопросы связанные с выбором SSL сертификата в комментариях.
P.P.S. Желающие получить 30% скидку на ssl сертификаты — пишите в личку.

Update: An important point - some certificates can work on domains with www and without www, that is, one certificate is enough to protect www.domain.com and domain.com, but you need to order it at www.domain.com
Actually for certificates:
• RapidSSL
• QuickSSL Premium
• True BusinessID
• True BusinessID with EV