SSL certificates Types

Started by Jeoffroi, Nov 05, 2022, 12:58 AM

Previous topic - Next topic

JeoffroiTopic starter

So, the first and easiest way to get a certificate for your site is to buy it. To do this, you can contact any certificate issuing center and order a certificate from them, providing information during the order process that will be checked.
Depending on your goals and ambitions, you can choose a paid certificate with different types of data verification:

D — certificates with domain verification. When registering such a certificate, only the domain name is checked. This is the easiest to design and cheapest type of SSL certificates. Any organization and any individual can buy such an SSL certificate. When ordering a certificate, you must specify an "E-mail address for confirmation" in the certified domain name: a letter will be sent to this address to confirm "domain ownership". That is, if a domain certificate is issued , then sert. the center will provide a choice of several boxes, which can be specified in the verification data, for example , and others.

The specified address must necessarily exist, all letters with instructions from the certification center will be sent to this E-mail. At the same time, it is impossible to issue certificates for domains whose names contain hints of bank, finance and other suspicions of "phishing". If you need a certificate for the domain of a credit institution, then the registration of such a certificate only with the verification of the organization. A site with such a certificate will show a "green lock" in the browser's address bar (different browsers have different ways).
Types of SSL certificates and the difference between them Informative, Hosting, IT, Ssl, Long-post

D+O — certificates with domain and organization verification. In this case, not only the domain name is checked, but also the domain belonging to the specified organization. When visiting a site protected by such a certificate, the name of the organization will be displayed in the address bar of the browser. Before registration, it is necessary to make sure that the domain name was registered to the organization, and not to an individual, for example, to the director or system administrator of the company. In addition, for some types of certificates, you will need to fill out a form with the details of the organization to verify them by the certification center.

IDN (Internationalized Domain Names) — support for national domains. Support for domains with non-Latin characters. If you have a domain for example in the zone .RF, then this type of certificates is your choice.

EV (Extended Validation) — extended validation. Such certificates receive the highest trust from browsers. For this type of certificates, a full check of the organization is carried out, including mandatory filling in forms with company data, certified by signature and seal. But such a "complex" design gives the highest level of trust, as evidenced by the "green address bar" in the browser of the site visitor, which indicates that the site has passed a serious check and all data transmitted between the visitor and the site is securely protected.
Types of SSL certificates and the difference between them Informative, Hosting, IT, Ssl, Long-post

WildCard — subdomain support. The Wildcard certificate can be used on all subdomains (subdomains) of the domain name. One such certificate will be valid on domains , , etc. without any restrictions on the number of subdomains.

SGC (Server Gated Cryptography) — a high level of encryption. Certificates with the support of a forcibly high level of encryption provide the highest possible level of encryption, regardless of the types and versions of client browsers. If the user uses an older version of the browser that supports only 40 or 56 bit encryption, then when using an SGC certificate, the connection will still use 128 (or more) bit encryption.

SAN/UCC (United Communications Certificate) — multi-domain certificates. SAN SSL certificates, also known as Unified Communication Certificates (UCC), are ideal for Microsoft Exchange products, as well as for protecting multi-domain projects. Such certificates protect all domains, subdomains, and local names described in the application using only 1 certificate.
In addition to the depth of data verification, different types of certificates give different insurance indemnities. This should be told separately.

Each paid certificate implies the presence of insurance. The insurance covers the financial risks of the site visitor. For example, the certificate guarantees insurance compensation in the amount of $10,000. This means that if such a certificate is installed on the domain, and a visitor to the domain site has suffered any financial losses due to hаcking of the certificate key as a result of operations on the site, then such losses will be covered by the certification center up to $ 10,000.

In practice, I personally do not know of a single case when such compensation would have been paid. And it's not that SSL is such a harsh technology that it's impossible to crаck the keys, and, consequently, to spy on encrypted traffic. Rather, it is very difficult to prove that this happened. Even when a catastrophic vulnerability in the SSL protocol was announced a couple of years ago, which was called "HeartBleed", there was no information about any refunds.
Types of SSL certificates and the difference between them Informative, Hosting, IT, Ssl, Long-post

I also want to note that most often you will not get the lowest price for a certificate directly from cert. Because they, as well as in the situation with domains, receive hellish discounts due to wholesale purchases, and, accordingly, can offer a lower price than the cert themselves. centers.

The second way to get a certificate is a little more complicated. You can generate it yourself. To implement it, you will need at least a command line of any unix system, a couple of hours of "smoking" the Internet at the request of "Generating an SSL certificate on our own", and then a couple of simple commands on the command line.
As a result, a set of files will be obtained, which can later be used to connect the certificate to the site domain.

In addition to the obvious disadvantage of having to perform some independent gestures, in the end it turns out that in order to work with a site using such a certificate, the user will also have to click a couple of buttons in the browser once again.

This will happen due to the fact that brazors have their own database of certification centers, whose certificates they trust. A self-issued certificate is called a "self-signed certificate". The certification center in this case is the computer on which the certificate was issued. Accordingly, the browser does not trust this computer. Therefore, the browser will display a message about the absence of certificate verification. Personally, I would recommend using such certificates only for your own needs, but still use certificates from trusted certs on the Network. centers.
Types of SSL certificates and the difference between them Informative, Hosting, IT, Ssl, Long-post

A couple of years ago, a group of Internet companies cooperated and created their own lunapark certification center, which issues free certificates for everyone. The center is called "Let's Encrypt". Each certificate issued by them passes Type D verification, is valid for 90 days, and after this period can be reissued free of charge. The number of reissues is not limited.
It is such a certificate from Let's Encrypt that I advise almost everyone who is faced with the need to use SSL.

To independently issue such a certificate, you need to download some software from the organization's website and run it. Answer a few questions that the software will ask, and wait for the certificate files to be received.
Don't consider it an advertisement. The project does not receive any financial benefit from the issuance of such certificates. The group of companies only advocates for a secure Internet.

Now many hosting providers have integrated the functionality of issuing and reissuing such certificates in automatic mode. For example, the hosting panel in our company with the latest update from the developers received new buttons that allow you to get a certificate for the site domain within a few minutes.
Types of SSL certificates and the difference between them Informative, Hosting, IT, Ssl, Long-post

The reissue is done automatically, so once you issue such a certificate, you can forget about the insecure connection with your project altogether. It remains only to transfer the domain site to work with the secure https protocol.

A small bonus. Which certificate should I choose for my project? Everything is quite simple here.
It all depends on what exactly you need a certificate for? A free certificate from Let's Encrypt is now suitable for most users.
If you need a certificate for the website of a financial institution, then you need to think about a paid certificate with a minimum D+O verification level.

All other certificates are:

1. Your ambitions - the green address bar in the browser is nothing more than a show-off

2. Financial opportunities.

3. Technical necessity - sometimes it is easier to pay for a multi-domain certificate than to issue a certificate for each domain used.


please tell me, is it possible to configure certificate receipt using ddns domain noip?
I have a self-signed certificate to access nextcloud on the server, and I want browsers not to swear and everything was clear.
I also bought a domain name and rented a vps (they made me a certificate from letsencrypt there), but I want all my data to be on my server and not on the vps.
When registering a domain type it gives an error.
    The following users thanked this post: Sevad


And what kind of business tasks do you need an EV certificate for? Business is different.
An online store is also a business, but payment aggregators, who a year ago did not want to work with sites using free Let's Encrypt certificates, are now reconsidering their position.
Speaking from the point of view of the end user, what does the green signature in the address bar give me? The encryption level remains the same.

Only if the banking website. There are requirements for it from, for example, the central bank, foreign partners, etc., etc. Only they themselves do not know why this green signature is needed.
It's just supposed to be according to the regulations. But it sometimes costs $10K . And why?


in general, if you sum it up, it turns out:

— the certificate is needed to encrypt the data given by the user to the server (site).
— the reliability of encryption does not depend in any way on how the certificate was obtained (self-generated and received from the public CertAuthority are generated using the same algorithm)
— a certificate issued by one of the well-known CA is good because it confirms that the encryption key that offers you to use a certain https://сайт , really issued to this site (domain owner).
— in addition, the condition for issuing a signed certificate may be proof of identity, confirmation of contacts (address/ tel/mail), confirmation of company registration, confirmation of the right to conduct business, and others.
— the price of a signed certificate depends on the number of checks/data that are necessary to obtain this certificate. That's why there are different prices for certificates.