The differences between SSL certificate types
PKI Expert with over a decade dedicated to certificate & encryption key management.
Published:
Browse All Articles > The differences between SSL certificate types
So you need a certificate so you can offer SSL encryption. But which one should you get? There are so many choices out there!
Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Authorities (CAs). Note that vendors may use slightly different names based on their marketing. Note that this covers SSL certificates only - other certificate types will be covered in another article.
Standard SSL
Your "no-frills" cert - valid for one name. This is fine for most folks - it gets you the gold lock in the browser, gives you SSL encryption, and validates your server's identity.
EV (Extended Validation) SSL
This is similar to a Standard SSL cert, except the validation process is a little bit more involved, allowing the CA to assert more confidence in your identity. The main benefit is that EV certs will turn the address bar green in most modern browsers (IE7+, FF3, etc.) - for an example see https://www.paypal.com. The overall encryption is just the same as standard - it just makes it easier for the customer to be more confident in your identity to help prevent phishing.
UC (Unified Communications)
a.k.a. multi-domain or SAN (Subject Alternative Name)
This is a Standard SSL cert (unless specified to be EV SSL) that allows for multiple names in the same cert. This is popular for Exchange certs, but can be used for any environment. Example you can have www.domain1.com and www2.domain2.net and server1 all be valid in the same cert. Some vendors may not allow internal names or private IP addresses (e.g. 10.x.x.x or 192.168.x.x) however some do. Last I heard GoDaddy did not allow internal addresses, Comodo does - however it is always good to ask if this is a concern as policies change occasionally. The extra names are reflected in the certificate attribute on the Details tab "Subject Alternative Name".
Wildcard SSL
This is valid for *.domain.com. Note that this cuts off at the child level so it would not be valid for *.sub.domain.com - you would need a different wildcard for that. Again, these are normally Standard SSL certs unless specified as EV.
SGC (Server Gated Cryptography) SSL
This is a "step-up" cert so that you can increase the SSL encryption strength for clients that don't support your server's level of encryption. At the beginning of the decade this was used for servers that supported 128 bit but clients were stuck at lower levels like 56 bit. Now, it is coming back as some newer we servers are supporting 256 bit encryption - if the client also supports 256 then they will use that with a normal SSL cert, but if the client does not then it will step up the client for that connection to use 256 bit instead of 128. If neither end supports 256 bit, then it doesn't do any good.
2048 bit certs
This is just a normal cert of any of the above types. This just means that you can use a 2048 bit key strength for your private key because their CA is at 2048 bit or higher. Most vendors are 2048 bit now, although there are still a small number that only offer 1024 bit certs. 1024 bit is still okay, but should be migrated away from soon within the next years or two.
Side Note - Licensing:
If you install the same cert in multiple enviornments you may need to acquire extra licenses for the certificate. The policies that apply here vary greatly from per physical box regardless of sites, to how many sites are being masked regardless of physical environment. Contact the sales team for your vendor to determine the details. If it is a larger order, you may be able to get them to negotiate different terms or give discounts (e.g. Comodo will discount based on amount deposited, then you can issue certs over time and pull from that funding pool).
Suggested vendors:
There are a lot of different certificate vendors, here's my personal short list and the benefits of each:
Startcom.org
Completely free - not a free trial. Their root was added to Microsoft, Mozilla, and a lot of others throughout 2009 - for most products this is the first and only free SSL certificate provider. Great for public sites for your employees, forums, and test labs. I would wait until a couple months after the next MS service pack comes out before considering for commercial sites. Their product selection is also somewhat limited, but if you just need a Standard SSL cert you can't get any cheaper!
GoDaddy.com
GoDaddy is very inexpensive compared to the rest, have a strong list of certificate products, and have excellent "ubiquity" (how many products their root is included in by default). This is my default suggestion.
Comodo.com & GlobalSign.com
When GoDaddy doesn't cut it for older product or specialized products, GlobalSign & Comodo are usually the next best places to stop for pricing and integration.
VeriSign.com & Thawte.com
VeriSign is THE gold standard of SSL certificates. They are expensive because they have hands down the best ubiquity rating. If a product includes anybody by default, it's VeriSign. They are one of the earlier companies in this business and are the standard to adhere to for the rest. They also offer the widest range of certificates out there for specialty certificates of any kind. VeriSign also owns another top vendor, Thawte, which also has amazing ubiquity ratings - occasionally you might be able to save a little bit by going through Thawte instead of Verisign, however they are also quite expensive.
Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Authorities (CAs). Note that vendors may use slightly different names based on their marketing. Note that this covers SSL certificates only - other certificate types will be covered in another article.
Standard SSL
Your "no-frills" cert - valid for one name. This is fine for most folks - it gets you the gold lock in the browser, gives you SSL encryption, and validates your server's identity.
EV (Extended Validation) SSL
This is similar to a Standard SSL cert, except the validation process is a little bit more involved, allowing the CA to assert more confidence in your identity. The main benefit is that EV certs will turn the address bar green in most modern browsers (IE7+, FF3, etc.) - for an example see https://www.paypal.com. The overall encryption is just the same as standard - it just makes it easier for the customer to be more confident in your identity to help prevent phishing.
UC (Unified Communications)
a.k.a. multi-domain or SAN (Subject Alternative Name)
This is a Standard SSL cert (unless specified to be EV SSL) that allows for multiple names in the same cert. This is popular for Exchange certs, but can be used for any environment. Example you can have www.domain1.com and www2.domain2.net and server1 all be valid in the same cert. Some vendors may not allow internal names or private IP addresses (e.g. 10.x.x.x or 192.168.x.x) however some do. Last I heard GoDaddy did not allow internal addresses, Comodo does - however it is always good to ask if this is a concern as policies change occasionally. The extra names are reflected in the certificate attribute on the Details tab "Subject Alternative Name".
Wildcard SSL
This is valid for *.domain.com. Note that this cuts off at the child level so it would not be valid for *.sub.domain.com - you would need a different wildcard for that. Again, these are normally Standard SSL certs unless specified as EV.
SGC (Server Gated Cryptography) SSL
This is a "step-up" cert so that you can increase the SSL encryption strength for clients that don't support your server's level of encryption. At the beginning of the decade this was used for servers that supported 128 bit but clients were stuck at lower levels like 56 bit. Now, it is coming back as some newer we servers are supporting 256 bit encryption - if the client also supports 256 then they will use that with a normal SSL cert, but if the client does not then it will step up the client for that connection to use 256 bit instead of 128. If neither end supports 256 bit, then it doesn't do any good.
2048 bit certs
This is just a normal cert of any of the above types. This just means that you can use a 2048 bit key strength for your private key because their CA is at 2048 bit or higher. Most vendors are 2048 bit now, although there are still a small number that only offer 1024 bit certs. 1024 bit is still okay, but should be migrated away from soon within the next years or two.
Side Note - Licensing:
If you install the same cert in multiple enviornments you may need to acquire extra licenses for the certificate. The policies that apply here vary greatly from per physical box regardless of sites, to how many sites are being masked regardless of physical environment. Contact the sales team for your vendor to determine the details. If it is a larger order, you may be able to get them to negotiate different terms or give discounts (e.g. Comodo will discount based on amount deposited, then you can issue certs over time and pull from that funding pool).
Suggested vendors:
There are a lot of different certificate vendors, here's my personal short list and the benefits of each:
Startcom.org
Completely free - not a free trial. Their root was added to Microsoft, Mozilla, and a lot of others throughout 2009 - for most products this is the first and only free SSL certificate provider. Great for public sites for your employees, forums, and test labs. I would wait until a couple months after the next MS service pack comes out before considering for commercial sites. Their product selection is also somewhat limited, but if you just need a Standard SSL cert you can't get any cheaper!
GoDaddy.com
GoDaddy is very inexpensive compared to the rest, have a strong list of certificate products, and have excellent "ubiquity" (how many products their root is included in by default). This is my default suggestion.
Comodo.com & GlobalSign.com
When GoDaddy doesn't cut it for older product or specialized products, GlobalSign & Comodo are usually the next best places to stop for pricing and integration.
VeriSign.com & Thawte.com
VeriSign is THE gold standard of SSL certificates. They are expensive because they have hands down the best ubiquity rating. If a product includes anybody by default, it's VeriSign. They are one of the earlier companies in this business and are the standard to adhere to for the rest. They also offer the widest range of certificates out there for specialty certificates of any kind. VeriSign also owns another top vendor, Thawte, which also has amazing ubiquity ratings - occasionally you might be able to save a little bit by going through Thawte instead of Verisign, however they are also quite expensive.
PKI Expert with over a decade dedicated to certificate & encryption key management.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)