The case for single domain certificates
Single domain SSL certificates secure both the www and non-www version of a single domain. They are available in Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) options.
When it comes to securing a website with digital certificates, single domain certificates stand out as the best option since they are more secure, easier to manage and automate, and more cost-effective when compared to other options. Wildcard certificates (secure the primary domain and unlimited subdomains) and multi-domain SSL certificates (secure multiple domains) come with inherent risks that create complex management challenges and could result in significant consequences to the business.
Single domain certificates are more secure than multi-domain and wildcard
Multi-domain, also known as UCC or SAN certificates, and wildcard certificates introduce substantial new risks compared to single domain certificates. These certificates increase the impact of insider, eavesdrop, and impersonation attacks.
If a private key on a multi-domain or wildcard certificate is in any way compromised, it could potentially translate into compromised security for all the domains, subdomains, and sessions covered by that certificate. For instance, a disgruntled network administrator or developer for just one of many domains in an organization could access the private key, and then share access to all applications or domains under management, leading to organization-wide damage on a number of domains.
Wildcard SSL certificates, in particular, are vulnerable to fake certificate ploys. If a cybercriminal obtains a wildcard certificate for a fictitious company, they can use that certificate to create a number of subdomains and phishing sites that impersonate the real thing. This was seen in the case of the fake Equifax site that attracted hundreds of thousands of visitors with "the same type of SSL certificate as the real version."
Single domain SSL certificates are easier to manage and automate
Even if no actual breach occurs involving wildcard or multi-domain certificates, they are still more of an administrative burden to manage compared to single domain certificates. For example, if a wildcard certificate is protecting 100 servers and three servers are compromised, an enterprise must re-protect all 100, not just the three in question. Similarly, all 100 servers’ certificates will expire on the same day, causing a deluge of work.
The private key a multi-domain and wildcard certificate contains must also be copied to multiple servers and deployed in various locations throughout the network each time the certificate needs to be revoked and replaced. This extra effort is burdensome and adds up fast.
Automated Certificate Lifecycle Management (CLM) ensures certificates are deployed precisely where they should be and replaced before they expire. With single domain certificates and a CLM system in place, IT leaders can easily issue, renew, govern, manage, and automate certificates for all of their different domains and subdomains—without having to input the same information for each individual certificate manually. Enterprises will also be able to automate key rotation and other website security measures across all sites, ensuring that certificates are always up to date and compliant with regulations and industry best practices.
Single domain certificates are cost-effective
The cost comparison between single domain certificates and multi-domain or wildcard certificates is not as simple as it may appear. Considering more single domain certificates are required for any given scenario compared with multi-domain or wildcard, single domain SSL certificates may seem to come with a hefty price tag.
However, consider that a certificate authority may offer volume-discount incentives that reduce the capital outlay required. This cost reduction makes single domain certificates substantially more attractive to organizations that might otherwise default to multi-domain or wildcard types. With these incentives, many organizations will find that single domain certificates offer a better total value proposition than they originally thought.
When deciding whether to deploy single domain, multi-domain, or wildcard certificates, it’s critical to consider which option provides the lowest risk, the most streamlined approach to manage and automate, and the most favorable cost to value metrics. The choice is clear for organizations that want to achieve optimal security, management, and value: single domain certificates.
Plus, with the introduction of a CA agnostic CLM platform, such as Sectigo Certificate Manager (SCM), enterprises can have complete visibility and control over all digital certificates from one central platform.
Learn about Sectigo’s single domain SSL certificates here or listen to Root Causes 110: Single-domain, Multi-domain, and Wildcard SSL Certificates to learn more.