SSL server certificates are mandatory for finance, e-commerce, and any site that wishes to protect data in transit. Tied to a fully qualified domain name, they also provide a level of non-repudiation. SSL in its more modern incarnation, transport layer security (TLS), is a very effective layer of security.
A quick Google search for “web server certificate” or “ssl certificate” returns companies that sell basic level certificates from USD$50 (GoDaddy) to USD$700 (rest of prices in the article are in USD) for a standard single domain and single server two year certificate. Granted, these are retail prices, but most systems engineers or security staff only deal with obtaining these certificates once every couple of years.
A better place to get competitive pricing for the major brands such as VeriSign, Thawte (part of VeriSign), GeoTrust, and RapidSSL (also part of VeriSign, see a trend here?) is from “The SSL Store”. This chart shows the breakdown of various vendors.
So, why do companies fork out $695 to VeriSign when they can get literally the same product for $540 from The SSL Store, or as low as $220 for a GeoTrust issued certificate?
The Past
Way back in the mid to late 90s we were provisioning e-commerce sites at a furious pace. A key for order conversion was to prevent any pop-up or alert from hitting the user’s browser. And with the concerns of credit card information, encryption alerts were B-A-D.
Back then, our browser selection was limited. Internet Explorer 4 through 6 were the major players, but there was also Netscape Navigator, Opera, and a bunch of smaller market share browsers. Each browser or operating system had a list of “trusted” certificate authorities. Browse to an HTTPS site where the certificate was signed by one of these and you were golden.
Limited Selection
Ask anyone from 1997 to 2003 where they got their certificates from and mostly likely it would be VeriSign, Network Solutions, GeoTrust, or maybe even Equifax (now part of GeoTrust). Security staff saw nothing wrong with ponying up $1,300 for a certificate per year. The CFO might take exception, but it was, and is, a cost of doing business.
Branding
VeriSign has done a fabulous job in keeping market share. The continue to compete with products, acquisitions of other Certificate Authorities (Thawte, Equifax and RapidSSL), and hammer the market with advertising. If you look at the market share statistics at Netcraft, you see that higher the trust products (low to high: domain only -> organization validated -> EV) have VeriSign leading the pack.
Another reason VeriSign has such a high market share may be due to Certificate Authority policies and reviews. The due diligence, audits, and processes to perform higher end Extended Validation reviews may require good organizational controls by the Certificate Authorities.
Does the Issuing Certificate Authority Matter?
I remember when I first found out about Thawte, the South African Certificate Authority. Certificates at 50% or less than VeriSign and easier organization validation processes. When I first proposed to replace around 30 certificates with Thawte-issued ones, the savings was around $30,000/year. There were concerns about potential browser conflicts or savvy users calling in to complain, so we did the migration slowly for the first batch of load-balanced web front-ends. In the end, there was not a single complaint or issue.
The market has normalized on certificates at varying trust levels:
| Self-signed | No Certificate Authority involved, used for encryption where non-repudiation is not required |
| Domain verified | Certificate Authority issued to authorized party of a domain name (e.g. gavinadams.org) |
| Organization verified | Certificate Authority issued to authorized company or organization (e.g., certificate can be assigned to Newco Inc.) |
| Extended Validation Certificate | Certificate that establishes legal identity to a much higher degree. Supported browsers clearly identify the web site (see PayPal example). |
With the exception of self-signed certificates, I contend it doesn’t matter if a domain or organization verified certificate comes from VeriSign, StartCom, or GoDaddy. And since Extended Validation (EV) certificates require the 20 odd Certificate Authorities to follow the same practices, there few reasons not to choose on price or convenience.
What to Look for in a Good Certificate Authority Issuer
Depending upon your needs, who you give your certificate business to depends up:
- Cost
- Locality
- Ease of Managing Certificates
- Stability
- The Extras – seals, insurance, etc.
Cost
Not necessarily the top of everyone’s list, but even Fortune 500 companies like to save costs. Look for Certificate Authorities that use resellers. Do they accept credit cards, company invoices, or other methods of payment? Are the prices competitive?
Locality
Does the Certificate Authority have a presence where you are located? If you’re in Bermuda, it’s nice to know that a major Certificate Authority, QuoVadis, is just down de road. You may find VeriSign has a great North American and European support organization, but isn’t as well versed in South America.
Ease of Management
Personally for me, besides costs, the process for validation and how easy it is to request, download and manage the [re]issuance process is key. Some of the SSL resellers have convoluted sites. Others, such as StartCom’s StartSSL, take the meaning of the word “bespoke interface” to new heights! (But their pricing model is unique and very cost effective).
Play around with various sites and talk to the staff to see just how hard is it to perform the domain or organization validation process. Some resellers have automated processes for domain-only validation while others need to make telephone calls or some other method of authentication.
Stability
How long has the Certificate Authority been in business and what is the risk the may suddenly close up shop and turn off the certificate revocation list (CRL) points. Granted the risk is limited to the duration of certificates issues by them, but having to pick a new Certificate Authority would be required.
The Extras
These are bits that to me don’t mean much of anything. Look at these features a VeriSign Secure Site certificate gets you:
And look at company that uses them but still only uses a “blue bar” (domain validation) certificate:
Nowhere on Amazon.com’s site do they mention VeriSign. Even going into the Help section show’s limited search results:
So unless you want to put up a seal and advertise for a Certificate Authority, the only extra that may have value is the insurance–and most companies will have much better umbrella policies than the CA’s provide.
Selecting a Certificate Authority Do’s and Don’ts
Do’s
- Buy from a reseller or discount provider – They either represent top brands, or in the case of GoDaddy, simply have cheap prices. I’ve used NameCheap, RapidSSL (via reseller), Enom, and GoDaddy.
- Take advantage of multi-year deals and discounts for certificates – Some providers will give certificates for free if you host a domain with them.
- Take advantage of wildcard and subject alternate name (SAN) certificates – If you are protecting more than a couple domains, a wildcard certificate can be very cost effective. The same holds true for SAN certificates. Beware the costs as you add additional servers or domain names.
- Export and backup the certificate – Make sure the private key and certificate and exported and stored somewhere safe. Some Certificate Authorities can reissue a certificate, why pay for something that should be good system practice (backup).
Don’ts:
- Buy directly from a major brand – I wonder how many people actually do buy directly from VeriSign instead of a reseller.
- Break the usage agreement – If the agreement says you pay for each physical or virtual server the certificate is used on, then pay the provider or look to one that allows multi-server use.
- Base selection just on price – Certain usage patterns may place convenience or the locality of a Certificate Authority over price.
Conclusion
Hopefully this article has presented some information to help people select an appropriate Certificate Authority and save some money. In looking back upon the hundreds of certificates I’ve purchased personally and for clients, the prices continue to drive down towards zero. What cost $1,300 in 1997 now costs $9 to $11.
And as prices drop on domain and organization certificates, the browser and Certificate Authorities continue to develop “new-and-improved” products at higher prices. What do the Certificate Authorities have in store for us once the price of an EV certificates have fallen?
