Digital SSL certificates. Varieties how to choose?

There are many digital certificates, each of which serves for its own purposes. The most common type of certificate is naturally SSL certificates, which also have several subtypes. There are also Code Signing certificates, Website Anti Malware Scanner certificates and Unified Communications certificates.

Since we are selling all types of certificates, we have gained a certain amount of experience with certificates and knowledge of how to choose the right certificate for a specific situation. I will try in several posts to share this information.

So if you have a task to raise a secure https connection for your site, then in this post I will try to reveal all the subtleties and features of SSL certificates to make the right choice easier.

Let's start with the most common SSL certificates.
')
SSL certificates are currently the most common type of certificates on the Internet. Most often they are used in online stores, that is, on sites where there is an order function and where the customer enters his personal data. In order to prevent this data from being transmitted from the browser to the server, it is impossible to intercept a special HTTPS protocol that encrypts all transmitted data.

In order to activate the ability of the HTTPS protocol to work, digital SSL certificates are needed (you also need a dedicated IP for a specific site).

What is an SSL certificate?

SSL is short for Secure Socket Layer is a standard Internet security technology that is used to provide an encrypted connection between a web server (site) and a browser. SSL certificate allows us to use https protocol. This is a secure connection that ensures that the information that is transmitted from your browser to the server remains private; that is, protected from hackers or anyone who wants to steal information. One of the most common examples of using SSL is to protect a client during an online transaction (product purchase, payment).

How to get SSL certificate?

The easiest and free way is to use the so-called self-signed certificate (self-signed), which can be generated directly on the web server. By the way, in all the most popular hosting control panels (Cpanel, ISPmanager, Directadmin) this feature is available by default, so we’ll omit the technical side of the certificate creation process.

Plus, a self-signed certificate is its price, or rather its absence, since you do not pay a penny for such a certificate. But from the minuses - this is what all browsers will give an error to such a certificate, with a warning that the site has not been verified.


That is, for official purposes and for internal use, such certificates are suitable, but for public sites, and even more so for sites that sell services, such certificates are contraindicated. Judge for yourself, would you like your client to see this error on the whole screen when ordering a service? As practice shows, the majority of clients enter such a page into a stupor and discourage the desire to continue the order further.

Why do browsers issue such a warning for self-signed certificates and how to avoid it? To answer this question you need to tell a little about the very principles of the operation of SSL certificates.

How does an SSL certificate work?

So, in order to get an SSL certificate, the very first thing to do is to create a special request for issuing a certificate, the so-called (Certificate Signing Request). When forming this query, you will be asked a series of questions to clarify the details about your domain and your company. Upon completion, your web server will create 2 types of cryptographic keys - a private key and a public key.

The public key is not secret and is placed in the CSR request.
Here is an example of such a request:
----- BEGIN CERTIFICATE REQUEST -----
MIIC3zCCAccCAQAwgZkxCzAJBgNVBAYTAlVBMQ0wCwYDVQQIEwRLaWV2MQ0wCwYD
VQQHEwRLaWV2MRQwEgYDVQQKEwtIb3N0QXV0b21hdDEQMA4GA1UECxMHaG9zdGlu
ZzEmMCQGCSqGSIb3DQEJARYXc3VwcG9ydEBob3N0YXV0b21hdC5jb20xHDAaBgNV
BAMTE3d3dy5ob3N0YXV0b21hdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDTg7iUv / iX + SyZl74GcUVFHjFC5IqlTNEzWgLWrsSmxGxlGzXkUKid
NyXWa0O3ayJHOiv1BSX1l672tTqeHxhGuM6F7l5FTRWUyFHUxSU2Kmci6vR6fw5c
cgWOMMNdMg7V5bMOD8tfI74oBkVE7hV95Ds3c594u7kMLvHR + xui2S3z2JJQEwCh
mflIojGnSCO / iv64RL9vjZ5B4jAWJwrruIXO5ILTdis41Z1nNIx3bBqkif0H / G4e
O5WF6fFb7etm8M + d8ebkqEztRAVdhXvTGBZ4Mt2DOV / bV4e / ffmQJxffTYEqWg8w
b465GdAJcLhhiSaHgqRzrprKns7QSGjdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOC
AQEAuCfJKehyjt7N1IDv44dd + V61MIqlDhna0LCXH1uT7R9H8mdlnuk8yevEcCRI
krnWAlA9GT3VkOY3Il4WTGg3wmtq6WAgLkVXQnhIpGDdYAflpAVeMKil8Z46BGIh
KQGngL2PjWdhMVLlRTB / 01nVSKSEk2jhO8 + 7yLOY1MoGIvwAEF4CL1lAjov8U4XG
NfQldSWT1o8z9sDeGsGSf5DAXpcccx0gCyk90HFJxhbm / vTxjJgchUFro / 0goVpB
credpKxtkwBMuCzeSyDnkQft0eLtZ9b9Q4 + ZNDWsPPKxo / zWHm6Pa / 4F4o2QKvPC
Px9x4fm + / xHqkhkR79LxJ + EHzQ ==
----- END CERTIFICATE REQUEST -----

The data contained in this key can be easily verified using the services of CSR Decoder. As an example: CSR Decoder 1 or CSR Decoder 2 . The second service provides more information about the CSR and checks it for validity, the Signature field in the test results.

If we insert such a request into the form to decrypt it, we will see what data is contained in the public key.

CSR Information:
Common Name: tuthost.ua - domain name that we protect with this certificate
Organization: TutHost - the name of the organization that owns the domain
Organization Unit: Hosting department - organizational unit
Locality: Kiev - the city where the office is located
State: Kiev - region or state
Country: UA - two-letter code, country office.
Email: support@tuthost.com - contact email of a technical administrator or support service

An important point - pay attention to the Country field - the format of this field implies only a two-letter ISO 3166-1 standard, if you are not sure of the code of your country, you can check it for example here: Table ISO-3166-1 . I pay attention to this field, because the most common mistake of our clients when generating a CSR request is the wrong country code. And as a result, it is impossible to issue a certificate with such a CSR.

After the CSR has been generated, you can proceed to applying for a certificate issue. During this process, the Certification Authority (CA) will validate the data you entered, and after successfully verifying, issue an SSL certificate with your data and enable you to use HTTPS. Your server will automatically associate the issued certificate with the generated private key. This means that you are ready to provide an encrypted and secure connection between your website and the client browser.

What data does the SSL certificate contain?

The certificate stores the following information:

• full (unique) name of certificate holder
• owner's public key
• ssl certificate issue date
• certificate expiration date
• full (unique) name of the certification authority
• publisher's digital signature

What are certificate authorities (CA)?

This is an organization that has the right to issue digital certificates. It verifies the data contained in the CSR before issuing a certificate. In the simplest certificates, only the compliance of the domain name is checked, in the most expensive a number of checks are made by the organization itself, which requests the certificate. We will discuss this below.

So, the difference between self-signed free and paid certificates issued by a certificate authority is precisely that the data in the certificate is verified by the certificate authority and when using such a certificate on the site your visitor will never see a huge error on the whole screen.

Generally speaking, SSL certificates contain and display (at least one of) your domain name, your organization name, your address, city and page. Also, the certificate always has an expiration date and information about the certification center responsible for issuing the certificate. The browser connects to the protected site, receives an SSL certificate from it, and does a number of checks: whether the certificate is expired, then it checks whether the certificate is issued to a certificate authority (CA) known to it or the certificate is used on the site for which it was issued.

If one of these settings fails validation, the browser displays a warning to the visitor to notify that this site does not use a secure SSL connection. He offers to leave the site or continue browsing, but with great care. This is the last thing you should see your potential customers.

There are quite a few certification centers, here is a list of the most popular:
Comodo - has been operating since 1998 headquarters in Jersey City, New Jersey, USA.
Geotrust - founded in 2001, sold in 2006 to Verisign, Mountain View Headquarters, California, USA
Symantec - the former Verisign which includes Geotrust. Bought everyone in 2010.
Thawte - founded in 1995, sold to Verisign in 1999.
Trustwave has been operating since 1995, headquarters in Chicago, Illinois, USA.

As you can see, the largest player in the SSL certificate market is Symantec, which owns the three largest certificate authorities - Thawte, Verisgin and Geotrust.

Is there a difference in which certificate authority to order a certificate?

The main difference between different certification authorities is in the price of certificates and in how many browsers their root certificate is installed. After all, if the browser does not have a root certificate of this certificate authority, then a visitor with such a browser will still receive an error when entering the site with a certificate from such a center.
As for the above-mentioned certificate authorities, their root certificates are installed in, perhaps, 99.99% of all existing browsers.

To check which certificate certificates are installed in your browser, it is enough to find such an option in your browser settings. (In Chrome, Settings -> show advanced settings -> certificate management -> Trusted root certification authorities). Chrome has more than 50 such root certificates.

The important point is that often the clients had a situation when an SSL certificate was installed on the server, but when entering the site, the browser still gives an error. Such a situation may arise either due to the absence in the ca-bundle.crt file of the root certificate of the center issuing the certificate or due to the fact that the root certificate is outdated. Root certificates also have their own expiration date (in browsers, they are updated when the browser is updated).

Since July 2010, certification centers have switched to the use of 2048bit RSA Keys keys, so for all new certificates to work correctly, you need to install new root certificates.
If new root certificates are not installed, this may cause problems with the correct installation of the certificate and its recognition by some of the browsers.
Links to certification authority pages where you can download new root certificates are given below.

RapidSSL Certificate

• Installation Instructions
• Root CA Certificates

GeoTrust SSL Certificates

• Installation Instructions
• Root CA Certificates

Thawte SSL Certificates

• Installation Instructions
• Root CA Certificates

VeriSign SSL Certificates

• Installation Instructions
• Root CA Certificates

It is not profitable to buy certificates directly from certification authorities, since the price for end users is significantly higher than for partners, besides, if you need to close such a purchase in the accounting department, this will also be difficult. The most advantageous to buy such certificates through partners. Partners buy certificates in bulk and have special prices, which makes it possible to sell certificates much cheaper than directly at a certification center.

So we have come close to the types of SSL certificates.

What types of SSL certificates are there?

Certificates differ in their properties and level of validation.

Types of certificates by type of validation

• Certificates that confirm only the domain name (Domain Validation - DV).
• Certificates confirming the domain and organization (Organization Validation - OV).
• Certificates with Extended Validation (Extendet Validation - EV).

We will deal with them in order:

Certificates confirming domain only

These are the simplest certificates, this is your choice if you need a certificate urgently, since they are issued automatically and instantly.
When checking such a certificate, an email is sent with a special link that you need to click to confirm the release of the certificate.

The important point is that this email can only be sent to the so-called approver email, which you specify when ordering a certificate. And to the address approver email there are certain requirements, it must be either in the same domain for which you order a certificate, or it must be specified in the whois domain.
If you specify email in the same domain as the certificate, then you cannot specify any emal either, it must match one of the templates:
admin @
administrator @
hostmaster @
postmaster @
webmaster @

One more Important moment: sometimes certificates with instant release get for additional manual check by the Certificate Authority, certificates for check are chosen randomly. So it is always worth remembering that there is a small chance that your certificate will not be issued instantly.

SSL certificates with domain validation are issued when the certification authority has verified that the applicant has rights to the specified domain name. Verification of information about the organization is not carried out and no information about the organization is displayed in the certificate.

Certificates with organization validation.

This certificate will already indicate the name of the organization. An individual cannot receive such a certificate. The deadline for issuing such certificates is usually from 3 to 10 working days, depending on the certification authority.

OV certification process

After receiving a request to issue a certificate with verification of the organization, the certification authority checks whether the organization really exists, as specified in the CSR, and if the specified domain belongs to it.

What is checked in such cases?

Different certification centers have a slightly different check, so I’ll give a general list of items that can be checked or requested:

1. The presence of the organization in the international yellow pages - not checked by all certification centers
2. The presence of the domain of your organization in the whois domain - but this is already required to be checked, and if such a name is not indicated there, you will most likely be asked for a letter of guarantee in which you need to indicate that the domain really belongs to the organization, sometimes they can request confirmation from the registrar
3. The state registration certificate is required less and less; more often now checks are made through special companies that check the existence of the organization through their own channels. For example, for Ukraine you can check on the database EDRPOU
4. An invoice from the telephone company, which contains the name of your organization and your telephone number specified in the order, this verifies the validity of your telephone. Require less and less.
5. Test call - increasingly, the correctness of the phone is checked by making a call to the phone number specified by you in the order. When you call will ask the employee specified in the administrative contact. Not all certificate authorities have Russian-speaking employees, so notify the person who answers the phone that a call from an English-speaking company is possible.

Certificates with extended validation.

These are the most expensive certificates and the most difficult to get them. In such certificates there is a so-called “green bar” - that is, when entering not the site where such a certificate is installed, a green line will appear in the address bar of the visitor’s browser, which will indicate the name of the organization that received the certificate.

This is how it looks on Thawte's website.


Such certificates have the highest level of trust among advanced visitors to your site, because the certificate indicates that the company really exists, has been fully tested and the site really belongs to it.

SSL certificates with Extended Validation (EV) are issued only when a Certificate Authority (CA) performs two checks to make sure that the organization has the right to use a specific domain plus the Certificate Authority performs a thorough check of the organization itself. The process of issuing EV certificates is standardized and must strictly comply with the EV rules that were created on the specialized CA / Browser Forum in 2007. It indicates the necessary steps that the certification authority must perform before issuing the EV certificate:

1. Must check the legal, physical and operational activities of the subject.
2. I must make sure that the organization complies with the official documents.
3. You must ensure that the organization has the exclusive right to use the domain specified in the EV certificate.
4. You must ensure that the organization is fully authorized to issue the EV certificate.

The list of what exactly will be checked is the same as for certificates with organization verification.

EV certificates are used for all types of businesses, including government and non-profit organizations. For release it takes 10-14 days.

The second part of the rules is relevant to the certification authority and describes the criteria that the certification authority must meet before getting permission to issue an EV certificate. It is called EV audit rules, and every year there is a check for compliance with these rules.

Types of SSL certificates by their properties.

Normal SSL Certificates

Everything is clear here, these are certificates that are issued automatically and confirm only the domain. Suitable for all sites.
Price: from $ 20 per year

SGC certificates

Certificates with enhanced encryption support. Actually for very old browsers that support only 40 or 56 bits encryption. When using this certificate, the encryption level is forcibly raised to 128 bits.
For all the time we have not bought more than one such certificate. My opinion is that they are no longer needed, except for internal use in large corporations, where a very old iron is preserved.
Price: from $ 300 per year.

Wildcard certificates

You need it in the case when, in addition to the main domain, you also need to provide encryption on all subdomains of the same domain. For example: there is a domain.com domain and you need to install the same certificate on support.domain.com, forum.domain.com and billing.domain.com

Tip: count the number of subdomains for which you need a certificate, sometimes it is more profitable to buy several ordinary certificates separately.
Price: from $ 180 per year. As you can see, if you have less than 9 subdomains, then it is cheaper to buy a regular certificate, although it will be more convenient to use one wildcard.

SAN certificates

It is useful if you want to use one certificate for several different domains hosted on the same server. Typically, such a certificate includes 5 domains and their number can be increased in increments of 5.
Price: from $ 395 per year

EV certificates

These are the certificates with extended verification and the green line in the browser, which we talked about above. They can only be received by a legal entity, commercial, non-profit or government organization.
Price: from $ 250 per year.

Certificates with IDN support

As a rule, not all certificate authorities have this option in the certificate description, but not all certificates work with IDN domains. Therefore, I will simply provide here a list of certificates that have such support:

• Thawte SSL123 Certificate
• Thawte SSL Web Server
• Symantec Secure Site
• Thawte SGC SuperCerts
• Thawte SSL Web Server Wildcard
• Thawte SSL Web Server with EV
• Symantec Secure Site Pro
• Symantec Secure Site with EV
• Symantec Secure Site Pro with EV

How to choose the cheapest certificate?

Geotrust has the cheapest SAN certificates. Certificates with site validation as well as wildcard are most beneficial for RapidSSL. EV certificates are also the cheapest at Geotrust. SGC has only Thawte and Verisign certificates, but Thawte is cheaper.

What else are different certificates between themselves

• Release rate. The fastest way is to issue certificates with validation of only a domain, the longest with EV validation, from 7 working days.
• The number of certificate reissues is unlimited with most certification authorities. Required if you make a mistake in the data about the organization.
• Warranty - for some certificates there is a guarantee of $ 10,000. This guarantee is more likely not for the buyer of the certificate, but for the visitor of the site where the certificate is installed. If a visitor to the site with such a certificate suffers from fraud and loses money, the certification authority will compensate them to the amount specified in the guarantee. That is, the certification center gives a guarantee for its certificates and that they cannot be installed on the “left” domain. In practice, such cases are not known to me, therefore, this parameter can be ignored.
• Free trial period - from paid certificates is available at symantec secure site, geotrust rapidssl, comodo positive ssl, thawte ssl web server. You can also use free certificates for tests: StartSSL ™ Free
• Refund - almost all certificates are available within 30 days, although there are certificates without a period of moneyback

Useful utilities:

1. OpenSSL is the most common utility for generating a public key (certificate request) and private key.
   http://www.openssl.org/
2. CSR Decoder - a utility for checking CSR and the data contained in it, I recommend using it before ordering a certificate.
   CSR Decoder 1 or CSR Decoder 2
   
3. DigiCert Certificate Tester - utility to verify the certificate itself
   http://www.digicert.com/help/?rid=011592
   http://www.sslshopper.com/ssl-checker.html
   

In the following parts I will try to tell you about the other types of certificates.

PS would be happy to answer any questions related to the choice of SSL certificate in the comments.
PPS Those who want to receive a 30% discount on ssl certificates - write in a personal.

Update: An important point is that some certificates can work on domains with www and without www, that is, one certificate is enough to protect www.domain.com and domain.com, but you need to order it on www.domain.com
Actual for certificates:
• RapidSSL
• QuickSSL Premium
• True BusinessID
• True BusinessID with EV