Why are there so many different kinds of Certificates?
The simple truth is marketing. Do you need to have higher confidence in a web site or certificate? Not really! Why spend more money on the same security result? The Certificate Authorities (CA) want you to believe in higher levels of verification and trust. Do not believe the hype! Certificates are used for secure communication and not just for web sites. Certificates secure connections for communications involving Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP), and so many more areas. We will address the difference between a Public and Private Key Infrastructure (PKI).
Zombiesecured.com uses an $8/year certificate and is in the top 1% for security standards on the internet. Unless you are a well-known household name conducting e-commerce transactions, no one "needs" a green bar or extended validation certificate. Even then, you truly do not need one. Certificate Authorities (CA) have marketed to the consumer that when you do not see a green bar, it is a questionable site. While security is of the utmost importance - unless you know the difference, most people/corporations will spend more in the belief that they are lowering their risk. We are here to dispel the myths!
Certificate Authorities are a business, but we are not fans of attention-grabbing commercials and advertisements that have little to do with the product or service itself. We will only address three (3) certificates since the rest of the "levels" of certificates are a waste of time and money!
What are the general certificates securing web-based communications?
- Domain Validation (DV) – Certificates that are quickly issued as only the domain ownership is verified for legitimacy by DNS, a web page with code, or email. These would be used for everything except e-commerce - Appears as a in the browser address bar
- Extended Validation (EV) – This certificate is distinguishable by the green bar with the company name displayed. Both the legal identity of the business or organization and the domain needs to be verified for legitimacy. This certificate is the one generally accepted for e-commerce. BTW - It can take weeks to verify everything!
- Wildcard – The root domain and its sub-domains can be included in a single certificate. Example - *.zombiesecured.com means this certificate would cover multiple addresses - web.zombiesecured.com, mail.zombiesecured.com, zombiesnail.zombiesecured.com and so on. - One Certificate to rule them all!
***Caution*** - Use only well known and TRUSTED Certificate Authorities, since all are not created equal. There have been Certificate Authorities in recent years that did not practice appropriate security measures and issued problematic certificates. This misuse and mistrust placed many people, companies, and the internet in a dire state. Several CA's were blacklisted, and all of their issued certificates had to be removed from use immediately. Everyone using certificates from these companies had to immediately go to another Certificate Authority and have their certificates reissued. Who would have thought you were at risk of being hacked because of your Certificate Authority and not a misconfiguration in your setup?
Who do we recommend for Certificate Authorities (CA) and why?
- ) Top free recommendation - Let's Encrypt - Free certificates! - Yes, they have great procedures on how to use their service, and yes, it is totally free.
- Why are we not using them for this site?
- They have great documentation with procedures - but we are tackling the use of non-free certificates.
- Not everyone knows about them.
- We highly recommend them and use them for numerous other sites!
- Our recommendations are our opinions - and we are not compensated for such opinions - Just our two cents
- ) Top paid recommendation Cheap SSL Shop
- The certificates used for this site were purchased through them - DigiCert (RapidSSL) for RSA & Sectigo for Elliptical Curve.
- Their interface is horrible. Sorry, but it is ...however
- Their support, prices, and ease of obtaining the certificates are the best
- No headaches or hassles for numerous re-issues (Tested 12 re-issues in one day with no issue)
- Again, our recommendation and we are not compensated for such opinions - Just our two cents
- ) Other Certificate Companies
- The Certificate company where you are paying for their marketing (They have race cars and all sorts of other expenses)
- Their services focus on non-technical folks needing help
- Their services are drastically more expensive then most, but they will get you there in the end
- Our opinion and we are not compensated for such opinions - Just our two cents
- The Certificate company with the word "Cheap" in it (Who doesn't like to save money, right?)
- Sometimes their prices and support are not cheap and can take a lot of your time
- A number of them do not support Elliptical Curves for certificates
- Our opinion and we are not compensated for such opinions - Just our two cents
- ) What about going Direct to the Certificate Authorities (CA) - The Sectigos (Previously Comodo), DigiCerts. and Entrusts of the world
- It is the same certificate in the end as all of the resellers of their certificates
- Certificates are VERY expensive going direct
- The only time we recommend going direct is when a corporation desires to use the service to issue internal certificates - a private as opposed to a public certificate authority (Internal Private Key Infrastructure)
- Certificate Authorities do not sell confidence, extended, or other levels and types of certificates for internal corporate use
- Using Internal PKI actually provides better security for internal systems since the root certificate is not public - Harder to hack unless you have access to the internal network
- Our opinion and we are not compensated for such opinions - Just our two cents