How to decide where to purchase a wildcard SSL certificate?
Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, marketing claims, and price range. I created a list to help me see past the marketing gimmicks that the greater majority of the Certificate Authorities (CAs) and resellers plaster all over their sites. In the end my personal conclusion is that pretty much the only things that matter are the price and the pleasantness of the CA's website.
Question: Besides price and a nice website, is there anything worthy of my consideration in deciding where to purchase a wildcard SSL certificate?
Solution 1:
I believe that with respect to deciding where to purchase a wildcard SSL certificate, the only factors that matter are the first year's cost of an SSL certificate, and the pleasantness of the seller's website (i.e. user experience) for the purchase and setup of the certificate.
I am aware of the following:
Claims about warranties (e.g. $10K, $1.25M) are marketing gimmicks - these warranties protect the users of a given website against the possibility that the CA issues a certificate to a fraudster (e.g. phishing site) and the user loses money as a result (but, ask yourself: is someone spending/losing $10K or more on your fraudulent site? oh wait, you are not a fraudster? no point.)
It is necessary to generate a
2048-bit
CSR (certificate signing request) private key to activate your SSL certificate. According to modern security standards using CSR codes with private key size less than 2048 bits is not allowed. Learn more here and here.Claims of
99+%
,99.3%
, or99.9%
browser/device compatibility.Claims of fast issuance and easy install.
It is nice to have a money-back satisfaction guarantee (15 and 30 days are common).
The following list of wildcard SSL certificate base prices (not sales) and issuing authorities and resellers was updated on May 30th, 2018:
price |
/ year | Certificate Authority (CA) or Reseller
($USD) |
-------+---------------------------------------
$0 | DNSimple / Let's Encrypt *
$49 | SSL2BUY / AlphaSSL (GlobalSign) *
$68 | CheapSSLSecurity / PositiveSSL (Comodo) *
$69 | CheapSSLShop / PositiveSSL (Comodo) *
$94 | Namecheap / PositiveSSL (Comodo) * (Can$122)
$95 | sslpoint / AlphaSSL (GlobalSign) *
$100 | DNSimple / EssentialSSL (Comodo) *
|
$150 | AlphaSSL (GlobalSign) *
$208 | Gandi
$250 | RapidSSL
$450 | Comodo
|
$500 | GeoTrust
$600 | Thawte
$600 | DigiCert
$609 | Entrust
$650 | Network Solutions
$850 | GlobalSign
|
$2,000 | Symantec
*
Note that DNSimple, sslpoint, Namecheap, CheapSSLShop, CheapSSLSecurity, and SSL2BUY, are resellers, not Certificate Authorities.
Namecheap offers a choice of Comodo/PostiveSSL and Comodo/EssentialSSL (though there is no technical difference between the two, just branding/marketing - I asked both Namecheap and Comodo about this - whereas EssentialSSL costs a few dollars more (USD$100 vs $94)). DNSimple resells Comodo's EssentialSSL, which, again, is technically identical to Comodo's PositiveSSL.
Note that SSL2BUY, CheapSSLShop, CheapSSLSecurity, Namecheap, and DNSimple provide not only the cheapest wildcard SSL certs, but they also have the least marketing gimmicks of all the sites I reviewed; and DNSimple seems to have no gimmicky stuff whatsoever. Here are links to the cheapest 1-year certificates (as I can't link to them in the table above):
- SSL2BUY
- CheapSSLShop
- CheapSSLSecurity
- sslpoint
- Namecheap
- DNSimple
As of March 2018 Let’s Encrypt supports wildcard certificates. DNSimple supports Let's Encrypt certificates.
Solution 2:
Another point to consider is the reissue of certificates.
I didn't really understand what this meant until the heartbleed bug came along. I'd assumed that meant they'd give you a second copy of your original certificate, and I wondered how disorganized one had to be to need that service. But it transpires that it doesn't mean that: at least some vendors will happily stamp a new public key as long as it happens during the duration of validity of the original certificate. I presume they then add your original certificate to some CRL, but that's a good thing.
Reasons you would want to do this are that you've corrupted or lost your original private key, or via some means have lost exclusive control of that key, and of course the discovery of a worldwide bug in OpenSSL that makes it likely that your private key was extracted by a hostile party.
Post-heartbleed, I regard this as a definite good thing, and now keep an eye out for it in future certificate purchases.
Solution 3:
While price is probably a key issue, the other issues are the credibility of the provider, browser acceptance and, depending on your competence level, support for the installation process (a bigger issue than it appears, especially when stuff goes wrong).
It is worth noting that a number of providers are owned by the same top-end players - for example Thawte and Geotrust and I believe Verisign are all owned by Symantec - Thawte certs are, however, much, much more expensive than Geotrust for no compelling reason.
On the other extreme, a certificate issued by StartSSL (who I'm not knocking, I think their model is cool), is not as well supported in the browser and does not have the same level of credibility as the big players. If you are wanting to plaster "security placebos" across your site, it's sometimes worth going to a bigger player - although this probably matters a lot less for wildcard certs then it does for EV Certs.
As someone else pointed out, another difference may be the "crock of junk" that is associate with the cert - I know the Thawte EV Certs I was previously instructed to get only allowed for use on a single server, while the Geotrust certs I later persuaded management to replace them with were not only cheaper but did not have this limitation - an entirely arbitrary limitation imposed by Thawte.
Solution 4:
You must select Wildcard SSL certificate based on your security needs.
Before Purchasing Wildcard SSL Certificate you must aware about a few factors mentioned below
Brand's Reputation & Trust Level: As per recent survey of W3Techs on SSL certificate authorities, Comodo overtook Symantec and become most trusted CA with 35.4% market share.
Types Features or Wildcard SSL: SSL Certificate authorities such as Symantec, GeoTrust and Thawte are offering Wildcard SSL Certificate with business validation. The attracts more visitors and increases customer's trust factor as well. Whereas other CA, Comodo and RapidSSL are offering Wildcard SSL with domain validation only.
Symantec's Wildcard SSL also comes up with daily vulnerability assessment which scans each single sub-domain against malicious threats.
Wildcard with Business validation displays organization name in URL field.
- SSL Price: As Symantec offering multiple features along with wildcard, its price is high compared with Comodo and RapidSSL.
So, If you wish to secure your website and sub-domains with business validation you have to choose either Symantec, GeoTrust or Thawte and for domain validation you can go with Comodo or RapidSSL. And if you wish to install multi layer security with daily vulnerability assessment you can go with Symantec's Wildcard Solution.