Choosing the right SSL certificate

Not all SSL certificates are the same, here is a rough round-up of differences:

Verification Levels

There are three basic levels of verification: domain only, domain and business, and domain business and identity of representative. Domain only is actually quite weak authentication when you think about it, it doesn’t prove you are who you say you are or that you have the right to use the brand. However to most end-users they won’t know the difference and they will see the locked icon. Domain and business is what is typically provided, and they normally require something trivial like a corporate credit card to verify you are the business in question.

Extended Verification is the new standard that requires extra steps by the CA to verify you are actually who you say you are and are the legal entity allowed to trade under that name. See wikipedia’s entry for more details. In Firefox an EV certificate will show as a Green box slightly to the left of the URL itself with the company name.


Each SSL provider will give different Indemnity insurance should you someone else fraudulently either use your certificate or your domain coming from the same CA. I think its very rare that people actually need to go down this path

Coverage across browsers

Typically all major SSL providers will be supported on all major OSes out of the box straight away. Some may require you to serve an intermediate chain bundle, which can be a hassle.


Not all CA’s support the ability to revoke certificates – surprisingly to me when I last looked at this only a handful had certificate revocation url’s listed. If your serious about your security pick one that does have a revocation URL.


Certificates can vary wildly in cost. Consider the vendors reputation and staying power when considering a certificate, and don’t assume more cash means a better product. Consider the interface and flexibility you have in your CSR – all should support uploading a CSR directly.

Encryption Support

All modern certificates should support 256-bit encryption.


If your needs sound basic and simple, I would recommend you purchase something cheap. RapidSSL, InstantSSL, GoDaddy or any of the other large players are all fine.

If you are a bigger player, considered upgrading to a new EV certificate. It gives your site a professional look especially among internet savvy users. The process can be timing consuming so budget extra time to get an EV certificate


See also: Wikipedia Comparison of SSL certificates.

Leave a Reply

Your email address will not be published. Required fields are marked *