A-Z Guide on How to Choose an SSL Certificate

What are SSL certificates?

SSL, or Secure Sockets Layer, is commonly used to refer to TLS (Transport Layer Security), a protocol designed to secure communications between a website, host, or server and the end users that are connecting to it (or between two machines in a client-server relationship). An SSL certificate confirms the identity of the domain name (for example, Sectigo.com) that is operating the website and enables encryption of all traffic exchanged between the server and the visitor. In doing so, this protects the integrity of all the transmitted information, ensuring a level of security that is crucial for businesses and enterprises alike.

Why are they important?

SSL certificates are crucial because they help to encrypt sensitive information during transport, protecting it from criminals who might try to intercept or steal it. Without the right SSL certificate, your website becomes vulnerable to cyberattacks, potentially exposing personal customer or organizational information to hackers.

Additionally, if you don't have a secure site with the right SSL certificate, search engines and browsers will flag your site as unsafe, further damaging your reputation and driving potential customers away.

These issues can harm your bottom line by impacting SEO efforts and negatively affecting the overall user experience, as visitors may feel unsafe and hesitant to engage with your site.

How does SSL encryption work?

Encryption makes use of keys to lock and unlock your information, meaning you need the right key to “open,” or decode the secured information.

Each SSL certificate includes two keys:

• A Public Key: Used to encrypt (scramble) the information, keeping it secure.

• A Private Key: Used to decrypt (un-scramble) the information, restoring it to its original format so it can be read.
  
  

SSL certificates make the public key available through the publicly accessible website, while the private key remains secured on the web server. This creates secure communication because any data submitted from the site where the public key is located can only be deciphered by the site owner.

When should these certificates be used?

SSL certificates should always be used when information needs to be transmitted securely. This includes:

• Communications between your website and your customers’ internet browsers.

• Internal communications on your corporate intranet.

• Email communications sent to and from your network (or private email address).

• Information between internal and external servers.

• Information sent and received from IoT and mobile devices.

How to choose the right SSL certificate for your website

There are seven different types of SSL certificates available, and depending on the type of website you have, the requirements of which SSL certificate you need will differ. Extended Validation (EV) certificates provide the highest level of trust out of all the certificate types, but this level of validation may not be necessary for all sites. Contact our team at Sectigo if you have further questions on which type you may need.

Domain validation (DV) SSL certificates

DV SSL certificates are best for small- to medium-sized businesses seeking cost-effective security without the need to establish site visitor trust. Issuance of a DV certificate simply requires proof of ownership of the associated domain name, which is provided through a simple email validation process. These certificates can be issued in minutes, enable HTTPS, and will display a clear indicator, such as the padlock symbol, in internet browsers.

However, domain validation SSL certificates do not vet the legitimacy of the organization the website represents and should therefore not be used for eCommerce sites or any other sites that deal with sensitive information. They are, however, a great option for many internal sites, test servers, and test domains.

Organization validation (OV) SSL certificates

OV SSL certificates provide the same level of protection as DV certificates but go one step further than simply requiring proof of domain ownership. With an OV SSL certificate, the issuing Certificate Authority (CA) confirms the business associated with the domain name is registered and legitimate by checking details such as the company name, location, address, and incorporation or registration information. This makes the OV certificate more suitable for public-facing websites that represent companies or organizations.

Extended validation (EV) SSL certificates

EV SSL certificates provide the highest level of trust by assuring consumers that they are conducting business through a trusted website. For this reason, these certificates have become the industry standard for eCommerce websites. EV SSL certificates trigger high-security web browsers to display a green address bar that includes the name of the company or organization that owns the domain. They also show the name of the issuing Certificate Authority.

Confirmation of the website’s identity, and validation of the organization, is carried out according to the rigorous industry guidelines established by the CA/Browser Forum and involves a strict vetting process that is shown to be effective for more than ten years of real-world use.

EV certificates are essential for large businesses or eCommerce sites as they can enhance credibility by showing discerning consumers that a prospective transaction is with a legitimate recipient and that the site is serious about protecting the data of its customers.

OTHER OPTIONS

Once you’ve decided on a validation level, you also need to determine if you need:

• A single-domain SSL certificate: A cost-effective certificate that secures a single domain and can also secure an individual subdomain, hostname, IP address, or mail server.

• A multi-domain SSL certificate: Also known as Subject Alternative Names (SAN) SSL certificates, these cover up to 250 domains with a single certificate.

• A Wildcard SSL certificate: Certificates that cover one main domain and an unlimited number of subdomains under the main domain.

• A Unified Communications (UCC) SSL Certificate: This type of certificate is tailored specifically for Microsoft Exchange and Microsoft Office Communication Server setups. It supports multiple domains, offering protection for as many as 100 different domains.

What Should You Look for When Choosing a Certificate Authority?

As the world’s largest commercial Certificate Authority, Sectigo®, formerly known as Comodo CA, is proactively monitoring for potential threats and attacks, working hand-in-hand with government agencies, browser providers, and our customers, to ensure it is keeping up with the ever-changing market.

When evaluating a CA, be sure that it:

Follows CA/B Forum Baseline Requirements.
Established in 2005, this industry group, consisting of Certificate Authorities and browser manufacturers, developed standards that each CA must meet for its roots to remain trusted in browsers. These include:

• All information contained within the certificate must be validated to be true through a strict, clearly defined authentication process.

• Certificates must not exceed their maximum specified durations.

• CAs must follow guidelines for CA security, certificate revocation mechanisms, audit requirements, liability, privacy and confidentiality, and delegation of authority.

Annual audits are crucial to CA security, yet not every CA makes them a priority. At a minimum, your CA should meet these auditing standards:

• WebTrust: An internationally recognized audit standard specifically designed for CAs. It focuses on evaluating the CA’s adherence to best practices in areas such as business processes, infrastructure, and data security. A successful WebTrust audit signifies that the CA follows stringent security protocols, providing a high level of assurance to users that the CA’s certificates are reliable.

• SOC 3: Service Organization Control 3 is another important audit standard, primarily concerned with the effectiveness of a CA’s controls related to security, availability, processing integrity, confidentiality, and privacy. A SOC 3 report provides a comprehensive overview of these controls, which is made publicly available, allowing consumers and businesses to make informed decisions about the security of their online communications.

Maintain membership in the WebTrust Program for CAs
The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting eCommerce and to increase consumer confidence in the application of PKI technology. Sectigo, for example, undergoes an annual audit from Ernst & Young, which validates that:

• The Certification Authority (CA) discloses its SSL certificate practices and procedures and its commitment to provide SSL certificates in conformity with the applicable CA/Browser Forum Requirements.

• Subscriber information was properly collected, authenticated, and verified.

• The integrity of keys and certificates is established and protected throughout their life cycles.

• Logical and physical access to CA systems and data is restricted to authorized individuals.

• The continuity of key and certificate management operations is maintained.

• CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity.

• The Certification Authority maintains effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements set forth by the CA/Browser Forum.

The SOC 3 report is published to confirm that the security controls for this cloud service have been examined by an independent accountant. Again, as an example, Sectigo undergoes an annual audit from Ernst and Young, to validate that Sectigo has maintained effective controls over its system as it relates to four core principles: security availability, processing integrity, and confidentiality.

How to Determine If a Site Has a Valid SSL Certificate

A website without an SSL certificate displays “http:// ” before the website address in the browser address bar. This moniker stands for “Hypertext Transfer Protocol,” the conventional way to transmit information over the Internet. Most internet users are aware that this indicates a website is not secure and historically have looked for “https://” and a closed padlock symbol in their browser window to confirm that they are on the site of an authenticated organization.

Some websites include a site seal, also known as a trust seal, which serves as a visual guarantee that the site is both secure and operated by a verified entity. This seal assures visitors that their personal information, transactions, and purchases are protected by encryption. It also confirms that any data shared is securely transmitted to the legitimate site owner, providing users with peace of mind when interacting with the site. This not only increases engagement and overall satisfaction but also builds brand awareness and preference. Sectigo’s trust seal is a powerful indicator that your site is secure.

Other browser symbols indicate that the information may not be secure and the site may be dangerous. This is a warning to the user that they should consider visiting a different site. There may even be a warning page that pops up requiring the user to agree that they want to proceed to a website that is not secure.

Trust Sectigo To Help You Choose The Right SSL Certificate For Your Website

Trust is everything in the world of online business. Investment in technology to protect customers and earn their trust is a critical success factor for any company that does business online or hosts an eCommerce website. The effective implementation of TLS/SSL certificates is an imperative part of website security and is a proven tool to help establish customer trust.

Download the full white paper here.

Sectigo is your trusted source for delivering SSL certificates that keep your site secure. Compare the different features of each type of SSL certificate and contact our team if you need more information on which type would be best for your website.