Everyone needs to protect online communications by acquiring publicly registered SSL/TLS certificate. In addition to security of online transactions, there are several advantages of SSL certificates such as branding, improved trust level of user’s domain, interoperability, and integrity of communication between endpoints, just to name a few.
However, one needs to develop a deeper understanding of SSL certificates in order to be able to choose the right online protection from a plethora of available choices.
Online security is a very sensitive matter and the CA Security Council (CASC) is devoted to the cause as an advocacy group. In the subsequent paragraphs, you will learn about the ways recommended by CASC in a stepwise manner.
Step One- Registration of the domain
Public websites are protected by obtaining a publicly trusted SSL certificate that should be registered in the first place. Domain registration is vital for domain verification process to check ownership of domain. The very fact that you have been able to secure a public domain for your website, establishes the site as a registered website.
Non-registered domains- Those domains that are not registered are related to internal server name. It is an IP address or a domain that belongs to a private network. These can be:
• One of the server names or suffixes of non-public domain name
• Sort host names or NetBIOS names that are not related to public domain
• IPV4 address from the range of RFC 1918
• IPV6 address belonging to the range RFC 4193
It should be noted that Certifying Authorities are not allowed to issue SSL certificates that are trusted publicly and consist of reserved IPs or internal server names for the simple reason being many companies may have similar internal server names. Hence a certifying authority may never be able to establish ownership of a single company.
Securing Internal Server Names- Communications between internal servers that are using internal server names cannot be secured by using an SSL certificate that is trusted publically. The only plausible solution to this problem is to establish an internal CA that is capable of issuing certificates.
Such an arrangement can be highly resource intensive and may require in-depth technical expertise. There are few CAs that are able to issue SSL certificates for internal server names.
Since these certificates are issued from private (non-public) root, these are not supposed to adhere to regulations of public certificates and can include reserved IPs and internal server names, thus saving you from hassles of issuing self signed certificates by operating your own CAs.
Step two- determining the proposed level of trust
Every SSL certificate is designed for ensuring session security and offering encryption of information that is being handled by the website. There is however vast difference in terms of the extent of identity information that is displayed in browsers and included in the certificate.
These differences are marked by the trust levels and the highest trust level being offered by Extended Validity (EV) followed by Organization Validated (OV) and Domain Validated (DV) in that order.
The important issue is what would be the trust level assigned to your certificate. In order to determine this, one needs to find the proposed trust level that is to be conveyed to visitors.
You need to establish whether linking your brand identity to your web presence is significant or not. This also includes your views about exposing your brand to be clearly in the browser’s address bar or only to be included in the certificate. Let us examine each level trust for a better understanding.
EV (Extended Validation) certificates- Extended Validation certificates are designed to include data related to the organization. The EV certificate is issued only to companies that satisfy the most rigid and stringent requirements for any type of SSL certificate.
The green address bar with a padlock that prominently displays your company’s name is meant to lend the highest level of credibility to your website in addition to the verification of your organization’s credibility.
Such clearly visible indication of security and credibility enhances trust of your site visitors by establishing that your site is legitimate and trustworthy. Needless to mention, such proof of credibility is sure to win more conversions and greater trust of customers.
OV (Organization Validated) Certificates- Although Organization Validation certificates provide authentication of the business, the information is accessible only by viewing the details of certificate. The information is not directly visible as in the case of Extended Validation certificate.
DV (Domain Validation) certificates- If you need to provide the most basic level of security that provides minimum information in terms of business identity and establishes only an administrative control of the business over the domain. These are certainly effective in offering session based security even though no information regarding the company is accessible. The certificate does not vouch for the ownership of the domain by a particular organization.
Step three- Number of domains to be protected
Single domain protection- If you are planning to secure a single domain, then a standard certificate would suffice the purpose. However, you can select a trust level according to your preferences and security requirement.
You may also secure multiple sites that can cater to different geographical regions. This can be achieved by purchasing a multi-domain certificate or a wildcard. A more cost effective and easily manageable alternative would be to go for Fully Qualified Domain Names. It also provides greater convenience while renewing the certificate.
Securing multiple domains- It is easy to secure several domains with help of Multi-domain certificate that facilitates securing number of domains with help of a single certificate. The certificate includes these domains as Subject Alternative Names hence the reference, ‘SAN certificates’.
Protecting multiple sub-domains- Sub-domain certificates are backed by EV, OV, or DV. Sub-domains can be secured with a single certificate either by using a wildcard or a multi-domain certificate. Choice of certificate depends upon the trust level and total number of sub-domains to be protected. Wildcard certificate id preferred for large number of existing and planned sub-domains. For limited number of sub-domains a multi-domain certificate should be chosen.