Everything you need to know about SSL Certificates

Introduction to SSL Certificate:

SSL stands for Secure Socket Layer which was previously called TLS (transport layer security); helps to enable HTTPS with a secure padlock for your website in browsers. Nowadays, plenty of websites are being hacked and confidential data like login credentials, credit cards, and other payment-related information of the users, customers. SSL Certificate helps to enable secure communication between browsers and website servers.

To create an encrypted connection between these two devices (browser and server), a symmetric cryptography is used, so data transmitted between these two channels stay encrypted. Whenever a server or a browser creates a request for the opponent, it generates a unique key using a Public key certificate aka Digital certificate aka SSL Certificate. The receiver needs to decrypt data using a private key, which should be stored on the webserver at the time of installation of the SSL Certificate. This negotiation between server and browser called TLS/SSL handshake.

SSL TLS Handshake Ibandhu

When you purchase an SSL Certificate from the certificate authority, the initial step would be generating CSR (Certificate Signing Request) from your hosting server. Once you have your CSR you can process configuration by entering details. After finishing all steps successfully, you will be issued with SSL Certificate which will contain Private Key and Public Key and root certificate. These files will be required when you start configuring your certificate on a web server. The configuration process may defer server to server. We would also like to cover SSL certificate configuration articles in the future on Ibandhu.com meanwhile you can refer to the guides shared under the SSL configuration section in this article. You can also take the help of your SSL certificate vendor for SSL certificate set up (paid sometimes).

The public key certificate is your SSL certificate file, and the Private Key is a decryption file. You should never share your Private Key to anyone, as someone can transgress the security of your website and valuable data could be manipulated.

Opting an SSL certificate

To create a secure channel between browser to server and server to the browser you need to purchase and install an SSL certificate on your web server. People host their website on different types of servers considering their requirements like traffic flow, data to store on the website, access is given to users, etc.

Here, we are going to explain step by step guide which will help you choose the best SSL certificate for your website. Let us first discuss the types of SSL certificate Authority you can choose.

Who/What is SSL Certificate Authority (CA)?

Certificate Authority or Certification Authority is also known as CA is an individual authority, which is authorized to issue Digital Certificates to the audience around the world. Certificate Authority helps to sign a certificate which enables HTTPS in web browsers. HTTPS is a secure browsing protocol for WWW (World Wide Web) or the WEB. Certificate Authorities have to follow the guidelines issued by the CA/Browser Forum, which controls the actions of certificate authorities and different browsers around the globe.

CA/Browser Forum was organized in late 2005 with the motive of controlling threats. Browsers around the world also need to follow the guidelines of CAB Forum to minimize the risk of MITM (man-in-the-middle) attack, hacking, phishing, and other hazardous attacks.

Popular Certificate issuing Authorities around the world:

Here, we have mentioned a few popular CAs that issuing Certificates. You need to know your exact requirement before opting for an SSL certificate for your website. All Certification Authorities work on similar fundamentals and but they issue a certificate with huge damage control warranty. Few Certificate Authority gives a warranty of $1.5M, which gives a sense of relief to a popular business.

  • Digicert
  • GlobalSign
  • Godaddy
  • Comodo
  • Symantec
  • GeoTrust
  • Thawte
  • RapidSSL
  • Entrust
  • Trustwave
  • Let’s Encrypt (Free)
  • Other…

HTTPS SSL Certificate Authorities - Ibandhu

Types of SSL certificates:

So, let us quickly move to the different types of SSL certificates, kindly understand your requirements properly and choose the best Secure Socket Layer SSL certificate. Types of SSL certificates differ according to their validation process.

Domain Validation certificate:

In this type of validation, only the authority of the domain will be verified. There are certain ways to verify your domain authenticities like email verification, cname record, Text verification, and HTML verification. This verification process could be different for diverse certificate authorities. Domain Validation Certificate takes minimum time in issuance as the only the authenticity of the domain needs to be verified.

Single Domain Validation:

We are going to discover the Single Domain Certificate first. When you want to secure only domain.com or www.domain.com you need to go for a Single Domain Certificate. When you purchase an SSL certificate for your core domain like domain.com or www.domain.com everything following to .com/ will be protected. There are many options for Single Domain plus Domain Validation OR DV certificate:

  • RapidSSL Certificate
  • Comodo Positive SSL
  • Comodo Essential SSL
  • AlphaSSL Certificate
  • Thawte SSL123
  • GeoTrust QuickSSL Premium
  • GlobalSign Domain SSL
  • DigiCert Standard SSL certificate

Wildcard SSL certificate (Domain Validation):

You can also opt for Wildcard SSL under domain validation certificate where asterisk before your domain name (i.e. *.domain.com) will secure all your sub-domains with a single certificate and a single installation. You can properly understand how Wildcard SSL works, using the below image:

Wildcard SSL Certificate Ibandhu

However, when you purchase a SAN SSL certificate, by default SSL certificate vendors provide limited domains (i.e. 3 or 5 SANs) with SAN certificates, you can add up to 100 in a single certificate.

As we have seen an example, the Wildcard SSL certificate helps to protect your main domain and you’re your first-level sub-domains. Now, let’s find out the best and cheapest Wildcard SSL certificate options available on the internet.

  • AlphaSSL Wildcard
  • RapidSSL Wildcard
  • Comodo PositiveSSL Wildcard
  • Comodo Essential Wildcard SSL
  • Thawte SSL123 Wildcard
  • GlobalSign Domain SSL Wildcard
  • Digicert Wildcard SSL

PS: Wildcard SSL Certificate only secures your main domain and first-level sub-domains. It will not secure second, third, so on.., level sub-domains when you have opted for *.domain.com. To get multiple level sub-domains you should read the Multi-Domain Wildcard certificate.

Multi-Domain (SAN) SSL certificate:

If you have more than one domain to secure and all of them are different or different levels then you can simply purchase a Multi-Domain SSL certificate also known as SAN (Subject Alternative Names) that comes under Domain validation. Let us understand using image how SAN SSL Certificate will work:

Multi Domain SAN UCC SSL Certificate - Ibandhu

Let’s check options for SAN SSL Certificates:

  • Comodo UCC/SAN SSL Certificate
  • QuickSSL Premium SAN (Sub-Domains)
  • Sectigo SSL Multi-Domain

PS: This illustration shows how SAN or Multi-Domain certificate works. However, if you want to secure infinite sub-domains at multiple levels then you should select a certificate called Multi-Domain Wildcard SSL.

Multi-Domain Wildcard SSL certificate (Domain Validation):

This type of Certificate is a combination of Wildcard SSL Certificate and Multi-Domain/SAN SSL certificate. The basic fundamental of Wildcard SSL will work for multiple levels as well as for different domains. Understand the functions of Multi-Domain Wildcard SSL Certificate with the help of this image:

Multi Domain SAN Wildcard SSL Certificate Ibandhu

PS: You will have all options whatever you protect with the Multi-Domain Wildcard SSL certificate with Domain Validation.

Organization Validation certificate:

Now let us reveal information on Organization Validation SSL certificates, which are also popular as Business Validation SSL Certificates. These types of certificates are one step ahead of Domain Validation certificates. In these types of SSL Certificates, the authenticity of the business along with domain validation will be verified by Certificate Authority. For Business verification, you will have to prove your business legitimacy to CA by providing legal documents and business phone number. Organization Validation (OV) SSL Certificates generally take up to 3-5 days in issuance depending upon the substance of the documents.

Just like Domain Validation certificates, these types of certificates come with three variants, Single Domain Certificate, Wildcard SSL, and Multi-Domain SSL. Let’s check them one by one:

Single Domain Business Validation certificates:

This SSL certificate will secure only the lone domain, nevertheless before you get your certificate, your business will have to pass through a strict validation process. Let’s quickly checklist of Business/Organization Validation SSL Certificates for a single domain.

  • Comodo Instant SSL Pro
  • GeoTrust True BusinessID
  • Thawte SSL Web Server
  • GlobalSign Organization SSL
  • Symantec Secure Site
  • Symantec Secure Site Pro

Organization Validated Wildcard SSL certificates:

Under this category, you will get the advantage to protect immediate first-level sub-domains along with the main domain. Your main domain has to pass through with Organization Validation Process according to Certificate Authority, even so, your existing and prospective sub-domains at first level will not have to pass any verification process as your main domain is already verified by CA.

  • Comodo Premium SSL Wildcard
  • Comodo SGC SSL Wildcard
  • GeoTrust True BusinessID Wildcard
  • GlobalSign Organization SSL Wildcard
  • Symantec Secure Site Wildcard SSL
  • Thawte Wildcard SSL
  • DigiCert Wildcard Plus
  • GoDaddy Delux SSL Wildcard
  • Entrust Wildcard SSL

SAN with Organization Validation:

This kind of certificate helps organizations running multiple sister companies where they have multiple domains for their various businesses. Validation would be done for the parent company and sister companies would be allowed to use Multi-Domain OV Certificate, however, the validation process should be done for each domain. Let’s check examples of Multi-Domain / SAN / UCC SSL certificates under the Organization Validation process:

  • GeoTrust Multi-Domain SSL
  • GlobalSign OrganizationSSL with SAN
  • Symantec Secure Site
  • Symantec Secure Site Pro
  • Thawte SSL Web Server
  • DigiCert Unified Communications
  • GoDaddy Delux UCC SSL
  • Entrust UC Multi-Domain SSL

Extended Validation / EV SSL Certificates:

Here comes the ace of the SSL certificates – Extended Validated or EV SSL Certificate. To get this type of SSL Certificate, your company will have to pass through a strict validation process which may take a few to many days, precisely 5-15 days depending upon how substantiative you with Certificate Authority. By the time, the value of the EV SSL Certificate is going to decrease or we can say it has been decreased. As we already know, Certificate Authorities have to follow guidelines issued by CA/B Forum, accordingly, browsers are now not showing Green Address which was earlier one of the top benefits of the EV SSL Certificate. Users could recognize the authenticity of the website by simply looking at Green Bar on the top of the web browsers. Refer the image below to know, how EV SSL Certificates are used to appear in different web browsers.

EV SSL Certificate Ibandhu

So now browsers are no longer showing Green address bar so technically there is a genuine difference between Organization Validation and EV SSL Certificates except one, warranty offered by Certificate Authorities. SSL Certificate Authorities offer various amounts of warranty alongside their SSL Certificate, in case the SSL certificate gets compromised and EV SSL comes with the highest warranty.

Single Domain EV SSL:

EV SSL Certificates come with only two options, single domain, and multiple domains facility. As we already know, a single domain EV SSL Certificate works exactly like standard single domain certificates. Let’s quickly check available options of single domain EV SSL Certificates:

  • Comodo PositiveSSL EV
  • Comodo EV SSL Single Domain
  • Thawte EV SSL
  • GlobalSign EV SSL
  • Symantec Secure Site EV SSL
  • DigiCert Extended Validation SSL
  • Sectigo EV SSL

Multiple domains – SAN EV SSL Certificate:

Unlike, Single domain EV SSL Certificate, SAN EV SSL gives you comfort to protect more than one domain under the single roof. When a single particular business has multiple domains to protect with EV SSL Certificate (sometimes for sister companies), then EV SSL Multi-Domain can protect them, however, each domain has to pass through from the verification process. Let us reveal available options of multiple domains EV SSL Certificate in the market:

  • GeoTrust True BusinessID SAN EV
  • Sectigo EV Multi-Domain SSL
  • Thawte Web Server EV Certificate
  • Comodo EV Multi-Domain
  • EnterpriseSSL Pro with EV Multi-Domain
  • DigiCert Secure Site EV Multi-Domain SSL

Free SSL Certificate (Domain Validated only):

If you have a small blogging website, which is not excepting any payment and there isn’t any login option for users then you can purchase any Cheap SSL certificate. Most certificate vendors are now providing free SSL Certificates, which could actually be a trial certificate for a limited time (one to three months). You can also initiate with free certificate issuing by one of the popular CAs called Let’s Encrypt which will provide exactly the same level 256-bit encryption to your website.

Cheap SSL Certificates:

If you still have doubts in your mind about choosing the best SSL certificate option for your website then let us check the cheapest SSL Certificate options under each category. We have tried out the best to find out the cheapest available options however, it is advisable to look in Google once before buying any of the suggested products.

Single Domains security:

Domain Validated Certificate (Single Domain)

        • Comodo Positive SSL (cheapest)
        • RapidSSL

Business Validated SSL Certificate (Single Domain)

        • Comodo Multi-Domain SSL
        • InstantSSL
        • Thawte SSL WebServer (Cheapest)

Extended Validated SSL Certificate (Single Domain)

        • Comodo Positive EV SSL (cheapest)
        • Comodo EV SSL Certificate
        • GeoTrust True BusinessID EV
        • Thawte SSL Webserver EV

Wildcard SSL Certificate (Single domain and its sub-domains)

        • AlphaSSL Wildcard (cheapest)
        • RapidSSL Wildcard
        • Comodo PositiveSSL Wildcard

Multi-Domains Protection (Without Wildcard):

Domain Validated Certificate

      • Comodo Positive SSL Multi-Domain (cheapest)
      • Comodo UCC SAN SSL

Organization/Business Validated Certificate:

      • GeoTrust True BusinessID Multi Domains
      • Thawte SSL Webserver (Cheapest)
      • Symantec Secure Site

Extended Validation Certificate:

      • GeoTrust True BusinessID EV
      • Thawte SSL Webserver EV
      • DigiCert Secure Site EV

Multi-Domains Wildcard Protection:

Domain Validated Certificate

      • Comodo Positive Multi-Domain Wildcard SSL (cheapest)
      • Symantec Secure Site Multi-Domain Wildcard
      • Sectigo Multi-Domain/SAN/UCC Wildcard

Organization/Business Validated Certificate:

      • Sectigo OV SSL Multi-Domain Wildcard
      • We certainly didn’t find more suggestions for OV Multi-Domain Wildcard SSL. If you have already found then please contact the author or website owner from the contact us page.

Extended Validation Certificate:

      • EV + Wildcard option is technically not possible.

SSL Certificate Installation

The difficult phase will start once you have your certificate as you need to install a certificate on your web server. The installation process tends to defer according to server type. Technically all types of SSL certificates are designed to avoid MITM (man-in-the-middle) attacks, so hackers cannot intercept communication between browser to server and server to a browser.

Here we are going to provide installation guides for popular web servers so you can correctly generate CSR and install a certificate for your website.

Amazon Web Services (AWS)

A complete guide for SSL set up on AWS

cPanel

Generate CSR for cPanel

Install SSL on cPanel

Apache

Complete guide on HTTPS set up guide for Apache Web Server

Microsoft Exchange Server 2016

Generate CSR for Microsoft Exchange Server 2019

Install SSL on Microsoft Exchange Server 2019

Nginx

SSL Certificate Signing Request and Installation guide for Nginx

OpenSSL

Certificate Signing Request using OpenSSL

Installing a CA certificate

A little tip for you when you are generating the CSR:

We are gonna give you a little extra tip which is going to save a couple of minutes of yours.

Country: Use a valid 2-letter country-code.
State or Province: Use your state or Province name, or use the Locality name if you have none.
Locality or City: Use your city, town, or another locality name.
Company: Use your organization name.
Organizational Unit: Use your unit or department name or put NA (Not Applicable).
Common Name: Put your domain name here (i.e. domain.com) if you have your main domain to protect, or put *.domain.com (if you want to secure your main domain and first-level sub-domains with Wildcard SSL).

Testing your website:

It is always advisable to test something you have done, to know it has been done properly or not and when it comes to the protecting transactions, everything should be stalwart. So, get your website tested with this tool: https://www.ssllabs.com/ssltest/

Try to avoid every possible error so there would be a 0% chance to get someone to penetrate your place and takes control over everything.

HTTPS as a ranking signal:

From 2017, Google Chrome started showing “Not Secure” warning for non-https websites in incognito mode. So every website needs to install an SSL certificate to avoid the “Not Secure” warning in Google Chrome. Regardless you are accepting payments or not, for better visibility in popular browsers like Google Chrome, you must opt SSL Certificate.

The motto of Google is so adamant about protecting the internet from 2014. Infect from June 2014 Google announced the “HTTPs Everywhere” slogan. Check out the below video from Google:

Wrapping things up:

I Hope, we have covered all necessary information required when someone wants to set up HTTPS protection for their website. Setting up an HTTPS is really difficult for everyone but especially to someone who is primitive without having any technical acquaintances but with the appropriate study we can achieve something really subtle.

There are many SSL Certificate Authorities out there as well as the resellers; however SSL certificates are designed to protect communication between server and browser with 256-bit encryption and 2048-bit root encryption, so the brand of the certificate doesn’t really matter. The only thing matter is encryption which cannot be intercepted with a man-in-the-middle attack.