Buy from the highest-rated provider   Buy SSL.com Certificate x

Choosing the Right Certificate Authority

A Certificate Authority (CA) issues SSL certificates to organizations or individuals after completing a verification process. Each Certificate Authority has different products, prices, certificate features, and levels of customer satisfaction, but there are only a handful of things you need to look at when deciding which one to use. Because most Certificate Authorities offer products with similar features, the most important thing to compare when deciding on a Certificate Authority include customer service, price, and security reputation.

Customer Service

Even if you are an expert server administrator, you're likely to need a little help from time to time when deploying SSL certificates. Choosing a Certificate Authority with great customer service and simple management interfaces will make your job much easier.  The best way to determine the quality of a CA's customer service is reading our Certificate Authority Reviews.

Price

Some CAs are free and some charge up to $1500 for a single certificate lasting a single year. When you are paying more, you are generally paying for a better brand, better support, and better tools but the free certificate will enable the same encryption that the $1500 one does. You will generally want to choose the lowest price that meets your needs in terms of customer support, brand, and interface usability.

Security Reputation

All Certificate Authorities must pass several audits and are therefore secure in theory. However, there have been many smaller and larger CAs that have made critical security errors so we know they aren't all equally secure. Thawte, VeriSign, StartCom, Comodo Resellers like CertStar, and DigiNotar have all had security breaches of varying degrees. You'll want to keep an eye on SSL News to determine if a Certificate Authority might not be putting the security of their own systems as a priority.

Other Issues

  • How quickly new techonologies are adopted. Internet security is constantly changing and improving. As new weaknesses are discovered, it is important to work with a provider who places a priority on adapting and adding improved features like Certificate Transparency, certificate pinning, and newer algorithms like SHA-2 and ECDSA.
  • Brand. Will your customers trust you more if they see the name of a certain CA on your website. Most visitors don't care but this could potentially be an issue with certain user bases.

What You Don't Need to Compare

  • Browser Compatibility. All the Certificate Authorities listed on this site will work on all modern browsers. This is even the case for newer CAs because they will cross-sign their certificates from an older CA to increase compatibility. However, if you run a service with massive amounts of traffic (think Google or Facebook) which might include a few users with antiquated technology (like Blackberry, early versions of Android, or Windows 98), an older CA might allow those users to access your service. This generally isn't even desirable though because it opens up the user of old vulnerable software to other attacks. You are doing yourself and your users a favor by encouraging them to upgrade to modern browsers and devices.
  • Certificate Features. Nearly all certificate features across CAs are the same. They enable the same level of encryption. So forget about special sounding features like SGC.

Public Key Infrastructure or PKI is a complicated concept that involves the hardware, software, policies, and standards that are necessary to manage SSL certificates to secure a network. A PKI lets you:

  • Authenticate users more securely than standard usernames and passwords
  • Encrypt sensitive information
  • Electronically sign documents more efficiently

 Originally posted on Fri Oct 7, 2016

Comments


C.L.(2017-05-03)

Some things are missing in this list. For example
* CA Transparency support: www.certificate-transparenc...
* ECC support (it's smaller and faster)
* SAN name support at no extra charge (www.domain.com and domain.com)

In addition there are some privacy preserving features in OCSP that fix CRL issues.

We will be blogging about this shortly at https://direct-trust.info

Advertisement • Hide