Started by Henri O`neill, Dec 01, 2022, 11:55 PM

Hi all. I would like to touch on the topic of SSL certificates. Usually people ask: "where to buy an SSL certificate?" or "where can I rent hosting with a domain and an ssl certificate?". At the same time, everyone forgets, or maybe they don't know that certificates are of different types and give different feedback and reputation.

Let's start with a simple one - a DV SSL certificate. Essentially a basic certificate that can be seen in 70% of sites. The information about the certificate (when clicked to the left of the site name) displays information that the site is protected and you can safely store various data.

OVSSL certificate. It is similar to the previous one, however, in addition to the basic information, information about who issued it is also displayed (this is similar to searching for a whois domain registrar).

EVSSL. The highest level of certification. This type of certificate implies a tooltip to whom the certificate is issued and more subtle work certificates. This type of certificate implies a better trust history with clients.

Others include certificates for subdomains (WSSL), which are issued to owners of site copies on subdomains of the main site, and are purchased as an addition to the main certificate.

The categories of the multidomain group stand apart. They protect subdomains of subdomains of different sites (in principle, this is necessary when the owner has a whole network of sites).

And now the most important thing - are they reliable? Essentially not, but if the owner has an OV or EV SSL, then the site owner is trusted a little more, although this often only applies to business.
If you have something to add - go ahead.

I think that there is no sense at all to go into the jungle of these certificates. I mean, a basic, simple ssl certificate is enough. If you look at all the sites that are present in a particular sector, then the statistics will be disappointing - about 65% of the sites do not have it either. Of course, most of these sites are not comic - without support and advertising, so it is unprofitable for them to pay not only for hosting, but also for a certificate (for example, this forum is dnray.com). The ssl certificate is primarily a sign that indicates whether it is worth storing banking data here or not.


If you do not go into the deep technical nuances of the ECC, RSA or DSA algorithms, then significant differences between them can hardly be detected. All these encryption algorithms comply with modern Internet security standards.
The only thing worth paying attention to here is the procedure for generating a public/private key pair required to sign your certificate.

Many providers offer so-called online CSR query generators. To generate such services, it is also necessary to create a public/private key pair for you. The latter is confidential and should not be passed on to third parties.
But compliance with this requirement will make the work of CSR generators technically impossible, so the service will somehow have access to your secret key file. If this fact is critical for you, generate the request yourself. If it is preferable for you to use an online CSR generator, choose only proven services and pay attention to the authenticity of the service website.

Often, for an SSL certificate, the vendor provides such a parameter as a financial guarantee. This means that the certification authority guarantees that it is impossible to install its certificate on an unauthorized site with money.
If a website user suffers financially as a result of fraud around an SSL certificate, the certification authority undertakes to reimburse this user for his losses within the amount specified in the guarantee. Such cases are practically excluded, but nevertheless, the presence of such a guarantee characterizes the certification authority well.