What level of SSL certificate do I need for my website?

What level of SSL certificate do I need for my website? It's a site that sells insurance policies for students.

We've been buying the Symantec DigiCert. Renewing for 2 years will cost $700. I have a feeling this is a waste of money, but I'm not sure. Here's what they say it offers:

RSA algorithm
Norton™ Secured Seal
Daily website malware scan
Symantec Seal-in-Search™

Transactions take place on the website, not on another domain, such as PayPal's.

I DO want people to feel secure when purchasing over the site. But can I achieve essentially the same benefit with either a free or less expensive SSL certificate?


Jonathan GreenbergAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterSenior Software DeveloperCommented:
$700 for 2 years sounds very expensive. It should be less than $100 per year.

Free? There is one that I found that's free for 90 days. Otherwise, you'll need to pay for a certificate that is signed by a trusted authority. It needs to be a 2048 bit or better certificate. Most of the extra cost comes from add-on features that aren't often necessary. Check whether or not you're buying a wildcard certificate or just a URL certificate. If you only need the certificate for a single URL then you can save money that way. Also, if you don't need an EV (extended validation) certificate you can save more money.

All that being said, I did find this that looks promising:

And if you're looking for the free 90 day certificate:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jonathan GreenbergAuthor Commented:
That was a super-helpful answer, Russ. Thanks!

I'm looking now at this one, which also offers business validation, which I think is a good thing; and the green address bar thingie, which is just kinda like "why not?".


And at $200, it's STILL so much less than what we've been paying.
Russ SuterSenior Software DeveloperCommented:
Well, here's my take on extended validation certificates.

Most of your target audience probably won't appreciate or even notice it.

That being said, for those who do notice it you will gain an extra level of trust because the user can be sure that not only is the connection secure but the company on the other end is exactly who they say they are.

Extended validation basically means your company goes through additional background checks to validate that you're legit. If it's in your budget it's not a bad thing to have. If you're selling insurance policies it might be a good idea.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Jonathan GreenbergAuthor Commented:
And the lovely people at pcicompliancemanager.com (Sysnet), who scan and validate my site for PCI DSS Compliance, won't care that the certificate is issued by Comodo rather than Symantec, right? I'll bet that's right, as technically it's offering the same level of protection.
Russ SuterSenior Software DeveloperCommented:
PCI DSS has no requirement about who issued the SSL certificate. As long as it meets the minimum strength (2048 bit) and is signed by a trusted certificate authority you're good to go.

If it makes you feel better, I've passed several PCI level 1 audits using Comodo certificates.
btanExec ConsultantCommented:
Probably you can try SSLTEST online for your server and see the scoring, you shouldnt be worst off. It is also commonly used by the auditor to know how secure your certificate is. EV SSL will be good if you worry about PCI compliance, otherwise UCC can be optimal since you have just one site. The 3rd party CA wouldnt matter that much unless it is ill reputed. Symantec has fallen but suggest you can still look at DigiCert.

Kapil SharmaTech Geek :)Commented:
If you required SSL certificate for single domain, then check below links according to your needs:
MASEE Solution Guide - Technical Dept HeadCommented:
Just adding to the above.
If you are looking for cheap certificate please check this Comodo certificate from this site.
nociSoftware EngineerCommented:
First you have to define the certificate you need if PCI compliance REQUIRES EV then you need EV...
if DV (Domain validation suffices...) take your pick.

EV certificate als establish that the company running the site are who they claim they are. (Business License verifycat, Chamber of Commerce etc . etc. ) that's why it is more expensive.

For DV certificates only the Domain Name ( ownership of Either DNS or Website ) is tested.
They go from Free (90 day validity, with fully automated renewals if setup alright, check out certbot for this).
to expensive and all.  The only requirement is that they are trustworthy to you organisation to compliance agencies AND to your customers.
(Kurds most probably wont trust Turkish signed certificates, like Arabs won't trust Israeli (or vise versa)... etc.

And some background check might be needed.... Wosign / Start SSL / Diginotar have been dropped from the certificate system, as have parts of Symantec... Comodo has had it's issues, but have been responsive and cooperative with investigations so the are still validated.
David Johnson, CD, MVPOwnerCommented:
Certificates are ways of making money from nothing.
If you have a $100 US bill do you care which of the 12 Federal Reserve Banks issued it (the number in black after the serial number) so as for a SSL certificate the same rules apply as long as your computer trusts the issuer the certificate is trusted. Be it digicert, startssl, letsencrypt
DV certificates are the cheapest since they require the least amount of work involved i.e. email, txt record in dns anything that doesn't require a human intervention from the issuer.
OV  (not BV) can require just a phone call.
EV may require extensive correspondence including a notarized statement that declares that the person requesting the certificate is authorized by the company.
The expense often is for added features esthetic all. I,e. The certificate includes an option for the purchaser to include a link to the signer that includes an additional visible validation of the site without the need to hit the lock to view the certificate, others include a block, etc.

To most user, a plain SSL certificate from any one of the many vendor would suitable. As noted earlier, as long as theistic is not prompted with a notice alerting that there is a defect with the certificate.
Jonathan GreenbergAuthor Commented:
I've gone ahead and purchased the Comodo EV Certificate, from namecheap.com. Thanks so much to all who weighed in!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.